
On Android, Chromium does not support automatic reconnection. The user must manually pair the device after every reboot in order for fastboot.js to reconnect to it. Unfortunately, this requires the user of the library to get involved because USB device connction requests are only allowed as the result of explicit user action, so we need to add a reconnect request callback for the user to handle.
279 lines
16 KiB
HTML
279 lines
16 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" prefix="og: https://ogp.me/ns#">
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<title>Web | Install | GrapheneOS</title>
|
|
<meta name="description" content="Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
|
|
<meta name="theme-color" content="#212121"/>
|
|
<meta name="msapplication-TileColor" content="#ffffff"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
|
<meta name="twitter:site" content="@GrapheneOS"/>
|
|
<meta name="twitter:creator" content="@GrapheneOS"/>
|
|
<meta property="og:title" content="GrapheneOS web install guide"/>
|
|
<meta property="og:description" content="Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
|
|
<meta property="og:type" content="website"/>
|
|
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
|
|
<meta property="og:image:width" content="512"/>
|
|
<meta property="og:image:height" content="512"/>
|
|
<meta property="og:image:alt" content="GrapheneOS logo"/>
|
|
<meta property="og:site_name" content="GrapheneOS"/>
|
|
<meta property="og:url" content="https://grapheneos.org/install/web"/>
|
|
<link rel="canonical" href="https://grapheneos.org/install/web"/>
|
|
<link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
|
|
<link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
|
|
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
|
|
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
|
|
<link rel="stylesheet" href="/grapheneos.css?29"/>
|
|
<link rel="manifest" href="/manifest.webmanifest"/>
|
|
<link rel="license" href="/LICENSE.txt"/>
|
|
<script type="module" src="/js/redirect.js?9"></script>
|
|
<script type="module" src="/js/fastboot/dist/fastboot.min.mjs?1"></script>
|
|
<script type="module" src="/js/web-install.js?5"></script>
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<nav id="site-menu">
|
|
<ul>
|
|
<li><a href="/">GrapheneOS</a></li>
|
|
<li><a href="/features">Features</a></li>
|
|
<li><a href="/install/">Install</a></li>
|
|
<li><a href="/build">Build</a></li>
|
|
<li><a href="/usage">Usage</a></li>
|
|
<li><a href="/faq">FAQ</a></li>
|
|
<li><a href="/releases">Releases</a></li>
|
|
<li><a href="/source">Source</a></li>
|
|
<li><a href="/articles/">Articles</a></li>
|
|
<li><a href="/donate">Donate</a></li>
|
|
<li><a href="/contact">Contact</a></li>
|
|
</ul>
|
|
</nav>
|
|
</header>
|
|
<main id="web-install">
|
|
<h1><a href="#web-install">Web install</a></h1>
|
|
|
|
<p>This is an <strong>experimental</strong> WebUSB-based installer for GrapheneOS.
|
|
Consider using the <a href="/install/cli">command-line installation guide</a> until
|
|
this has been more thoroughly tested.</p>
|
|
|
|
<section id="prerequisites">
|
|
<h2><a href="#prerequisites">Prerequisites</a></h2>
|
|
|
|
<p>You should have at least 2GB of free memory available and 8GB of free storage
|
|
space.</p>
|
|
|
|
<p>You need a USB cable for attaching the device to a laptop or desktop. Whenever
|
|
possible, use the high quality standards compliant USB-C cable packaged with the
|
|
device. If your computer doesn't have any USB-C ports, you'll need a high quality
|
|
USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on
|
|
a desktop computer case. Connect directly to a rear port on a desktop or the ports
|
|
on a laptop. Many widely distributed USB cables and hubs are broken and are the
|
|
most common source of issues for installing GrapheneOS.</p>
|
|
|
|
<p>Installing from an OS in a virtual machine is not recommended. USB passthrough
|
|
is often not reliable. To rule out these problems, install from an OS running on
|
|
bare metal. Virtual machines are also often configured to have overly limited
|
|
memory and storage space.</p>
|
|
|
|
<p>Windows 10, macOS Big Sur, Arch Linux, Debian buster and Ubuntu 20.04 LTS are the
|
|
officially supported operating systems for installing GrapheneOS. You should make sure
|
|
your operating system is up-to-date before proceeding with these instructions. Older
|
|
versions and other Linux distributions usually work, but if you encounter problems try
|
|
using one of the officially supported options.</p>
|
|
|
|
<p>For this web-based installation process, the latest stable release of Chromium,
|
|
Chrome or Microsoft Edge is recommended. Other Chromium-based browsers will likely
|
|
work but these are the ones that we test.</p>
|
|
|
|
<p>You need one of the officially supported devices. To make sure that the device can
|
|
be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier
|
|
variants of Pixels use the same stock OS and firmware with a non-zero carrier id
|
|
flashed onto the persist partition in the factory. The carrier id activates
|
|
carrier-specific configuration in the stock OS including disabling carrier and
|
|
bootloader unlocking. The carrier may be able to remotely disable this, but their
|
|
support staff may not be aware and they probably won't do it. Get a carrier agnostic
|
|
device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a
|
|
carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id
|
|
and the hardware is the same.</p>
|
|
|
|
<p>It's best practice to update the stock OS on the device to make sure it's running
|
|
the latest firmware before proceeding with these instructions. This avoids running
|
|
into bugs, missing features or other differences in older firmware versions. You can
|
|
either update the device via over-the-air updates or sideload a full update, which for
|
|
Pixel phones can be obtained from the
|
|
<a href="https://developers.google.com/android/ota">full update package page</a>.</p>
|
|
</section>
|
|
|
|
<section id="enabling-oem-unlocking">
|
|
<h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
|
|
|
|
<p>OEM unlocking needs to be enabled from within the operating system.</p>
|
|
|
|
<p>Enable the developer options menu by going to Settings ➔ About phone and
|
|
pressing on the build number menu entry until developer mode is enabled.</p>
|
|
|
|
<p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the
|
|
'Enable OEM unlocking' setting. This requires internet access on devices with Google
|
|
Play services as part of Factory Reset Protection (FRP) for anti-theft protection.</p>
|
|
</section>
|
|
|
|
<section id="flashing-as-non-root">
|
|
<h2><a href="#flashing-as-non-root">Flashing as non-root</a></h2>
|
|
|
|
<p>On Linux, in order for to connect to a device as non-root, the appropriate udev
|
|
rules need to be set up. This is not an issue on either macOS or Windows.</p>
|
|
|
|
<p>On Arch Linux, install the <code>android-udev</code> package. On Debian and
|
|
Ubuntu, install the <code>android-sdk-platform-tools-common</code> package.</p>
|
|
</section>
|
|
|
|
<section id="connecting-phone">
|
|
<h2><a href="#connecting-phone">Connecting the phone</a></h2>
|
|
|
|
<p>Connect the phone to the computer. On Linux, you'll need to do this again if
|
|
you didn't have the udev rules set up when you connected it.</p>
|
|
</section>
|
|
|
|
<section id="unlocking-the-bootloader">
|
|
<h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
|
|
|
|
<p>First, boot into the bootloader interface. You can do this by turning off the
|
|
device and then turning it on by holding both the Volume Down and Power buttons.</p>
|
|
|
|
<p>Unlock the bootloader to allow flashing the OS and firmware:</p>
|
|
|
|
<button id="unlock-bootloader-button" disabled="disabled">Unlock bootloader</button>
|
|
|
|
<p>The command needs to be confirmed on the device and will wipe all data. Use one
|
|
of the volume keys to switch the selection to accepting it and the power button to
|
|
confirm.</p>
|
|
|
|
<p><strong id="unlock-bootloader-status"></strong></p>
|
|
</section>
|
|
|
|
<section id="obtaining-factory-images">
|
|
<h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
|
|
|
|
<p>You need to obtain the GrapheneOS factory images for your device to proceed with
|
|
the installation process.</p>
|
|
|
|
<p>Press the button below to start the download:</p>
|
|
|
|
<button id="download-release-button" disabled="disabled">Download release</button>
|
|
|
|
<p><strong id="download-release-status"></strong></p>
|
|
</section>
|
|
|
|
<section id="flashing-factory-images">
|
|
<h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
|
|
|
|
<p>The initial install will be performed by flashing the factory images. This will
|
|
replace the existing OS installation and wipe all the existing data.</p>
|
|
|
|
<button id="flash-release-button" disabled="disabled">Flash release</button>
|
|
|
|
<p>Wait for the flashing process to complete. It will automatically handle
|
|
flashing the firmware, rebooting into the bootloader interface, flashing the core
|
|
OS, rebooting into the userspace fastboot mode, flashing the rest of the OS and
|
|
finally rebooting back into the bootloader interface. Avoid interacting with the
|
|
device until flashing is finished and the device is back at the bootloader menu.
|
|
Then, proceed to <a href="#locking-the-bootloader">locking the bootloader</a>
|
|
before using the device as locking wipes the data again.</p>
|
|
|
|
<p>
|
|
<strong id="flash-release-status"></strong>
|
|
<!-- This appears as part of the status -->
|
|
<button id="flash-reconnect-button" style="display: none;"><strong>Reconnect device</strong></button>
|
|
</p>
|
|
</section>
|
|
|
|
<section id="locking-the-bootloader">
|
|
<h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
|
|
|
|
<p>Locking the bootloader is important as it enables full verified boot. It also
|
|
prevents using fastboot to flash, format or erase partitions. Verified boot will
|
|
detect modifications to any of the OS partitions and it will prevent reading any
|
|
modified / corrupted data. If changes are detected, error correction data is used
|
|
to attempt to obtain the original data at which point it's verified again which
|
|
makes verified boot robust to non-malicious corruption.</p>
|
|
|
|
<p>In the bootloader interface, set it to locked:</p>
|
|
|
|
<button id="lock-bootloader-button" disabled="disabled">Lock bootloader</button>
|
|
|
|
<p>The command needs to be confirmed on the device and will wipe all data. Use one
|
|
of the volume buttons to switch the selection to accepting it and the power button
|
|
to confirm.</p>
|
|
|
|
<p><strong id="lock-bootloader-status"></strong></p>
|
|
</section>
|
|
|
|
<section id="post-installation">
|
|
<h2><a href="#post-installation">Post-installation</a></h2>
|
|
|
|
<section id="booting">
|
|
<h3><a href="#booting">Booting</a></h3>
|
|
|
|
<p>You've now successfully installed GrapheneOS and can boot it. Pressing the
|
|
power button with the default Start option selected in the bootloader menu
|
|
will boot the OS.</p>
|
|
</section>
|
|
|
|
<section id="disabling-oem-unlocking">
|
|
<h3><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h3>
|
|
|
|
<p>OEM unlocking can be disabled again in the developer settings menu within the
|
|
operating system after booting it up again.</p>
|
|
</section>
|
|
|
|
<section id="verifying-installation">
|
|
<h3><a href="#verifying-installation">Verifying installation</a></h3>
|
|
|
|
<p>Verified boot authenticates and validates the firmware images and OS from the
|
|
hardware root of trust. Since GrapheneOS supports full verified boot, the OS images
|
|
are entirely verified. However, it's possible that the computer you used to flash the
|
|
OS was compromised, leading to flashing a malicious verified boot public key and
|
|
images. To detect this kind of attack, you can use the Auditor app included in
|
|
GrapheneOS in the Auditee mode and verify it with another Android device in the
|
|
Auditor mode.</p>
|
|
|
|
<p>The Auditor app works best once it's already paired with a device and has
|
|
pinned a persistent hardware-backed key and the attestation certificate chain.
|
|
However, it can still provide a bit of security for the initial verification
|
|
via the attestation root. Ideally, you should also do this before connecting
|
|
the device to the network, so an attacker can't proxy to another device (which
|
|
stops being possible after the initial verification). Further protection
|
|
against proxying the initial pairing will be provided in the future via
|
|
optional support for ID attestation to include the serial number in the
|
|
hardware verified information to allow checking against the one on the box /
|
|
displayed in the bootloader. See the <a href="https://attestation.app/tutorial">Auditor tutorial</a>
|
|
for a guide.</p>
|
|
|
|
<p>After the initial verification, which results in pairing, performing verification
|
|
against between the same Auditor and Auditee (as long as the app data hasn't been
|
|
cleared) will provide strong validation of the identity and integrity of the
|
|
device. That makes it best to get the pairing done right after installation. You can
|
|
also consider setting up the optional remote attestation service.</p>
|
|
</section>
|
|
|
|
<section id="further-information">
|
|
<h3><a href="#further-information">Further information</a></h3>
|
|
|
|
<p>Please look through the <a href="/usage">usage guide</a> and
|
|
<a href="/faq">FAQ</a> for more information. If you have further questions not
|
|
covered by the site, join the <a href="/contact#community">official GrapheneOS
|
|
chat channels</a> and ask the questions in the appropriate channel.</p>
|
|
</section>
|
|
</section>
|
|
</main>
|
|
<footer>
|
|
<a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
|
|
<ul id="social">
|
|
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
|
|
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
|
|
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
|
|
<li><a href="https://www.linkedin.com/company/grapheneos/">LinkedIn</a></li>
|
|
</ul>
|
|
</footer>
|
|
</body>
|
|
</html>
|