Getting started with https://grapheneos.org. Basically pixel is the only platform that has all the requirements that allow you to load custom firmware.

Prep work

Open up the bootloader for custom firmware on the pixel (OEM unlocking)

I followed the CLI guide since I didn’t want to use chrome. We’ll see how this ages.

You need a recent version, so the one from apt won’t suffice. Get from android: https://developer.android.com/tools/releases/platform-tools

sudo apt install libarchive-tools
curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-linux.zip
echo 'acfdcccb123a8718c46c46c059b2f621140194e5ec1ac9d81715be3d6ab6cd0a  platform-tools_r35.0.2-linux.zip' | sha256sum -c
bsdtar xvf platform-tools_r35.0.2-linux.zip

Open source app store: https://auroraoss.com/

Troubleshooting Cellular

There’s basically an issue with RCS on GrapheneOS for certain carriers (AT&T and T-Mobile). In these scenarios, there is a work around where you install an old version of google messages to do the RCS handshake and get the connection verified, followed by an update via the google play store. This is primarily due to the way that RCS is handled - it is essentially an open standard for communication, but Google has provided the service for mobile carriers in the past. They are stopping providing the service, and instead relying on the carriers to implement.

This surfaces in GrapheneOS due to the fact that it does grant additional privilages for some IMEI information. The end result is that for users on these carriers that use GrapheneOS will be required to follow the workaround everytime the authentication fails (approximately every 36 hours).

At this point - I would need to either give up RCS in favor of either straight SMS / MMS messaging, or use a more secure app such as signal or whatsapp, or change to another carrier that is better supported on GrapheneOS (e.g. verizon, sprint, etc.). There’s also the possibility of using an older version of the messaging application that does not require the 36 hour cycle. … Looks like there is a workaround to where you install a specific version to get RCS running (com.google.android.apps.messaging_messages.android_20241120_00_RC07) - then follow up with installing a separate fixed version (com.google.android.apps.messaging_messages.android_20250311_04_RC01) and disabling automatic updates. Since applying this method, RCS has been up for weeks. See this megapost on the forum for more info: https://discuss.grapheneos.org/d/1353-using-rcs-with-google-messages-on-grapheneos/1687

Other Apps for Graphene

DNSNet

Interesting application offered through the accrescent app store. Basically sets up an add-blocker run locally (configured by some blacklist) and routes your traffic through the locally hosted vpn. So far really enjoy this.

Wireguard for a VPN

Able to connect to the home network, this is the underlying connection used by pangolin - you can also run wireguard standalone and use the companion app for connecting - need to open a port on the router to allow for the connection but this allows for a self hosted VPN.

Summary

I’ve been using grapheneos for months now, and after working out a handful of kinks, I really enjoy the control you have over permissions (this sometimes comes at a cost of functionality). In general the trade-off is worth it, and at the minimum you know what permissions you are granting to which services.

Read other posts

< [Wireguard VPN] :: [Self hosting a learning management system (LMS)] >

Adopting Graphene OS as Daily Android