260 lines
		
	
	
		
			15 KiB
		
	
	
	
		
			HTML
		
	
	
	
	
	
			
		
		
	
	
			260 lines
		
	
	
		
			15 KiB
		
	
	
	
		
			HTML
		
	
	
	
	
	
| <!DOCTYPE html>
 | |
| <html lang="en" prefix="og: https://ogp.me/ns#">
 | |
|     <head>
 | |
|         <meta charset="utf-8"/>
 | |
|         <title>Web install | GrapheneOS</title>
 | |
|         <meta name="description" content="Web-based installer for GrapheneOS"/>
 | |
|         <meta name="theme-color" content="#212121"/>
 | |
|         <meta name="msapplication-TileColor" content="#ffffff"/>
 | |
|         <meta name="viewport" content="width=device-width, initial-scale=1"/>
 | |
|         <meta name="twitter:site" content="@GrapheneOS"/>
 | |
|         <meta name="twitter:creator" content="@GrapheneOS"/>
 | |
|         <meta property="og:title" content="GrapheneOS web install"/>
 | |
|         <meta property="og:description" content="Web-based installer for GrapheneOS"/>
 | |
|         <meta property="og:type" content="website"/>
 | |
|         <meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
 | |
|         <meta property="og:image:width" content="512"/>
 | |
|         <meta property="og:image:height" content="512"/>
 | |
|         <meta property="og:image:alt" content="GrapheneOS logo"/>
 | |
|         <meta property="og:site_name" content="GrapheneOS"/>
 | |
|         <meta property="og:url" content="https://grapheneos.org/web-install"/>
 | |
|         <link rel="canonical" href="https://grapheneos.org/web-install"/>
 | |
|         <link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
 | |
|         <link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
 | |
|         <link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
 | |
|         <link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
 | |
|         <link rel="stylesheet" href="/grapheneos.css?29"/>
 | |
|         <link rel="manifest" href="/manifest.webmanifest"/>
 | |
|         <link rel="license" href="/LICENSE.txt"/>
 | |
|         <script defer="defer" src="/js/fastboot/libs/zip-inflate.min.js?0"></script>
 | |
|         <script type="module" src="/js/fastboot/common.js?1"></script>
 | |
|         <script type="module" src="/js/fastboot/factory.js?1"></script>
 | |
|         <script type="module" src="/js/fastboot/sparse.js?1"></script>
 | |
|         <script type="module" src="/js/fastboot/fastboot.js?1"></script>
 | |
|         <script type="module" src="/js/web-install.js?3"></script>
 | |
|     </head>
 | |
|     <body>
 | |
|         <header>
 | |
|             <nav id="site-menu">
 | |
|                 <ul>
 | |
|                     <li><a href="/">GrapheneOS</a></li>
 | |
|                     <li><a href="/features">Features</a></li>
 | |
|                     <li><a href="/install">Install</a></li>
 | |
|                     <li><a href="/build">Build</a></li>
 | |
|                     <li><a href="/usage">Usage</a></li>
 | |
|                     <li><a href="/faq">FAQ</a></li>
 | |
|                     <li><a href="/releases">Releases</a></li>
 | |
|                     <li><a href="/source">Source</a></li>
 | |
|                     <li><a href="/articles/">Articles</a></li>
 | |
|                     <li><a href="/donate">Donate</a></li>
 | |
|                     <li><a href="/contact">Contact</a></li>
 | |
|                 </ul>
 | |
|             </nav>
 | |
|         </header>
 | |
|         <main id="web-install">
 | |
|             <h1><a href="#web-install">Web install</a></h1>
 | |
| 
 | |
|             <p><strong>This is a highly experimental WebUSB-based installer for GrapheneOS. Use it
 | |
|             at your own risk. Use the <a href="/install">official install guide</a> until this has
 | |
|             been more thoroughly tested and improved.</strong></p>
 | |
| 
 | |
|             <section id="prerequisites">
 | |
|                 <h2><a href="#prerequisites">Prerequisites</a></h2>
 | |
| 
 | |
|                 <p>You should have at least 2GB of free memory available and 8GB of free storage
 | |
|                 space.</p>
 | |
| 
 | |
|                 <p>You need a USB cable for attaching the device to a laptop or desktop. Whenever
 | |
|                 possible, use the high quality standards compliant USB-C cable packaged with the
 | |
|                 device. If your computer doesn't have any USB-C ports, you'll need a high quality
 | |
|                 USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on
 | |
|                 a desktop computer case. Connect directly to a rear port on a desktop or the ports
 | |
|                 on a laptop. Many widely distributed USB cables and hubs are broken and are the
 | |
|                 most common source of issues for installing GrapheneOS.</p>
 | |
| 
 | |
|                 <p>Installing from an OS in a virtual machine is not recommended. USB passthrough
 | |
|                 is often not reliable. To rule out these problems, install from an OS running on
 | |
|                 bare metal. Virtual machines are also often configured to have overly limited
 | |
|                 memory and storage space.</p>
 | |
| 
 | |
|                 <p>Windows 10, macOS Big Sur, Arch Linux, Debian buster and Ubuntu 20.04 LTS are the
 | |
|                 officially supported operating systems for installing GrapheneOS. You should make sure
 | |
|                 your operating system is up-to-date before proceeding with these instructions. Older
 | |
|                 versions and other Linux distributions usually work, but if you encounter problems try
 | |
|                 using one of the officially supported options.</p>
 | |
| 
 | |
|                 <p>For this web-based installation process, the latest stable release of Chromium
 | |
|                 or Chrome is recommended.</p>
 | |
| 
 | |
|                 <p>You need one of the officially supported devices. To make sure that the device can
 | |
|                 be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier
 | |
|                 variants of Pixels use the same stock OS and firmware with a non-zero carrier id
 | |
|                 flashed onto the persist partition in the factory. The carrier id activates
 | |
|                 carrier-specific configuration in the stock OS including disabling carrier and
 | |
|                 bootloader unlocking. The carrier may be able to remotely disable this, but their
 | |
|                 support staff may not be aware and they probably won't do it. Get a carrier agnostic
 | |
|                 device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a
 | |
|                 carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id
 | |
|                 and the hardware is the same.</p>
 | |
| 
 | |
|                 <p>It's best practice to update the stock OS on the device to make sure it's running
 | |
|                 the latest firmware before proceeding with these instructions. This avoids running
 | |
|                 into bugs, missing features or other differences in older firmware versions. You can
 | |
|                 either update the device via over-the-air updates or sideload a full update, which for
 | |
|                 Pixel phones can be obtained from the
 | |
|                 <a href="https://developers.google.com/android/ota">full update package page</a>.</p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="enabling-oem-unlocking">
 | |
|                 <h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
 | |
| 
 | |
|                 <p>OEM unlocking needs to be enabled from within the operating system.</p>
 | |
| 
 | |
|                 <p>Enable the developer options menu by going to Settings ➔ About phone and
 | |
|                 pressing on the build number menu entry until developer mode is enabled.</p>
 | |
| 
 | |
|                 <p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the
 | |
|                 'Enable OEM unlocking' setting. This requires internet access on devices with Google
 | |
|                 Play services as part of Factory Reset Protection (FRP) for anti-theft protection.</p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="connecting-phone">
 | |
|                 <h2><a href="#connecting-phone">Connecting the phone</a></h2>
 | |
| 
 | |
|                 <p>Connect the phone to the computer. On Linux, you'll need to do this again if
 | |
|                 you didn't have the udev rules set up when you connected it.</p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="unlocking-the-bootloader">
 | |
|                 <h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
 | |
| 
 | |
|                 <p>First, boot into the bootloader interface. You can do this by turning off the
 | |
|                 device and then turning it on by holding both the Volume Down and Power buttons.</p>
 | |
| 
 | |
|                 <p>Unlock the bootloader to allow flashing the OS and firmware:</p>
 | |
| 
 | |
|                 <button id="unlock-bootloader-button" disabled="disabled">Unlock bootloader</button>
 | |
| 
 | |
|                 <p>The command needs to be confirmed on the device and will wipe all data. Use one
 | |
|                 of the volume keys to switch the selection to accepting it and the power button to
 | |
|                 confirm.</p>
 | |
| 
 | |
|                 <p><strong id="unlock-bootloader-status"></strong></p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="obtaining-factory-images">
 | |
|                 <h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
 | |
| 
 | |
|                 <p>You need to obtain the GrapheneOS factory images for your device to proceed with
 | |
|                 the installation process.</p>
 | |
| 
 | |
|                 <p>Press the button below to start the download:</p>
 | |
| 
 | |
|                 <button id="download-release-button" disabled="disabled">Download release</button>
 | |
| 
 | |
|                 <p><strong id="download-release-status"></strong></p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="flashing-factory-images">
 | |
|                 <h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
 | |
| 
 | |
|                 <p>The initial install will be performed by flashing the factory images. This will
 | |
|                 replace the existing OS installation and wipe all the existing data.</p>
 | |
| 
 | |
|                 <button id="flash-release-button" disabled="disabled">Flash release</button>
 | |
| 
 | |
|                 <p>Wait for the flashing process to complete and proceed to
 | |
|                 <a href="#locking-the-bootloader">locking the bootloader</a> before using the
 | |
|                 device as locking wipes the data again.</p>
 | |
| 
 | |
|                 <p><strong id="flash-release-status"></strong></p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="locking-the-bootloader">
 | |
|                 <h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
 | |
| 
 | |
|                 <p>Locking the bootloader is important as it enables full verified boot. It also
 | |
|                 prevents using fastboot to flash, format or erase partitions.  Verified boot will
 | |
|                 detect modifications to any of the OS partitions and it will prevent reading any
 | |
|                 modified / corrupted data. If changes are detected, error correction data is used
 | |
|                 to attempt to obtain the original data at which point it's verified again which
 | |
|                 makes verified boot robust to non-malicious corruption.</p>
 | |
| 
 | |
|                 <p>In the bootloader interface, set it to locked:</p>
 | |
| 
 | |
|                 <button id="lock-bootloader-button" disabled="disabled">Lock bootloader</button>
 | |
| 
 | |
|                 <p>The command needs to be confirmed on the device and will wipe all data. Use one
 | |
|                 of the volume buttons to switch the selection to accepting it and the power button
 | |
|                 to confirm.</p>
 | |
| 
 | |
|                 <p><strong id="lock-bootloader-status"></strong></p>
 | |
|             </section>
 | |
| 
 | |
|             <section id="post-installation">
 | |
|                 <h2><a href="#post-installation">Post-installation</a></h2>
 | |
| 
 | |
|                 <section id="booting">
 | |
|                     <h3><a href="#booting">Booting</a></h3>
 | |
| 
 | |
|                     <p>You've now successfully installed GrapheneOS and can boot it. Pressing the
 | |
|                     power button with the default Start option selected in the bootloader menu
 | |
|                     will boot the OS.</p>
 | |
|                 </section>
 | |
| 
 | |
|                 <section id="disabling-oem-unlocking">
 | |
|                     <h3><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h3>
 | |
| 
 | |
|                     <p>OEM unlocking can be disabled again in the developer settings menu within the
 | |
|                     operating system after booting it up again.</p>
 | |
|                 </section>
 | |
| 
 | |
|                 <section id="verifying-installation">
 | |
|                     <h3><a href="#verifying-installation">Verifying installation</a></h3>
 | |
| 
 | |
|                     <p>Verified boot authenticates and validates the firmware images and OS from the
 | |
|                     hardware root of trust. Since GrapheneOS supports full verified boot, the OS images
 | |
|                     are entirely verified. However, it's possible that the computer you used to flash the
 | |
|                     OS was compromised, leading to flashing a malicious verified boot public key and
 | |
|                     images. To detect this kind of attack, you can use the Auditor app included in
 | |
|                     GrapheneOS in the Auditee mode and verify it with another Android device in the
 | |
|                     Auditor mode. The Auditor app works best once it's already paired with a device and
 | |
|                     has pinned a persistent hardware-backed key and the attestation certificate chain.
 | |
|                     However, it can still provide a bit of security for the initial verification via the
 | |
|                     attestation root. Ideally, you should also do this before connecting the device to the
 | |
|                     network, so an attacker can't proxy to another device (which stops being possible
 | |
|                     after the initial verification). Further protection against proxying the initial
 | |
|                     pairing will be provided in the future via optional support for ID attestation to
 | |
|                     include the serial number in the hardware verified information to allow checking
 | |
|                     against the one on the box / displayed in the bootloader. See the
 | |
|                     <a href="https://attestation.app/tutorial">Auditor tutorial</a> for a guide.</p>
 | |
| 
 | |
|                     <p>After the initial verification, which results in pairing, performing verification
 | |
|                     against between the same Auditor and Auditee (as long as the app data hasn't been
 | |
|                     cleared) will provide strong validation of the identity and integrity of the
 | |
|                     device. That makes it best to get the pairing done right after installation. You can
 | |
|                     also consider setting up the optional remote attestation service.</p>
 | |
|                 </section>
 | |
| 
 | |
|                 <section id="further-information">
 | |
|                     <h3><a href="#further-information">Further information</a></h3>
 | |
| 
 | |
|                     <p>Please look through the <a href="/usage">usage guide</a> and
 | |
|                     <a href="/faq">FAQ</a> for more information. If you have further questions not
 | |
|                     covered by the site, join the <a href="/contact#community">official GrapheneOS
 | |
|                     chat channels</a> and ask the questions in the appropriate channel.</p>
 | |
|                 </section>
 | |
|             </section>
 | |
|         </main>
 | |
|         <footer>
 | |
|             <a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
 | |
|             <ul id="social">
 | |
|                 <li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
 | |
|                 <li><a href="https://github.com/GrapheneOS">GitHub</a></li>
 | |
|                 <li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
 | |
|                 <li><a href="https://www.linkedin.com/company/grapheneos/">LinkedIn</a></li>
 | |
|             </ul>
 | |
|         </footer>
 | |
|     </body>
 | |
| </html>
 | 
