├── .gitignore
├── vendor
    ├── BootSignature.jar
    └── VerifiedBootSigner-v8.zip
├── sign-recovery.sh
├── update-boot-signer.sh
├── gen-signing-keys.sh
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | known-good/


--------------------------------------------------------------------------------
/vendor/BootSignature.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rarecoil/open-dumpling/HEAD/vendor/BootSignature.jar


--------------------------------------------------------------------------------
/vendor/VerifiedBootSigner-v8.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rarecoil/open-dumpling/HEAD/vendor/VerifiedBootSigner-v8.zip


--------------------------------------------------------------------------------
/sign-recovery.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | java -jar BootSignature.jar /recovery $1 custom.pk8 custom.x509.der recovery_signed.img
4 | java -jar BootSignature.jar -verify recovery_signed.img


--------------------------------------------------------------------------------
/update-boot-signer.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | cp vendor/VerifiedBootSigner-v8.zip .
4 | zip -u ./VerifiedBootSigner-v8.zip custom.pk8
5 | zip -u ./VerifiedBootSigner-v8.zip custom.x509.der


--------------------------------------------------------------------------------
/gen-signing-keys.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | openssl genrsa -f4 -out custom.pem 2048
4 | openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt
5 | openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
6 | openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der
7 | rm custom.x509.pem custom.pem


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Encrypted + Locked + LineageOS 16.0 + MicroG on OnePlus 5T
 2 | 
 3 | ## This repository has now been archived, as I no longer have a OnePlus 5T for testing/development.
 4 | 
 5 | I am moving away from the OnePlus devices, at least for now. I still
 6 | think they are great used devices for Android use, but I think that for
 7 | OSS, [PostmarketOS](https://postmarketos.org/) et al. deserve some attention.
 8 | Some script dev to automate this process began in the `ci-cd` branch,
 9 | but did not get merged into master before I abandoned this project.
10 | 
11 | 
12 | ## Introduction
13 | 
14 | I have a [OnePlus 5T](https://www.oneplus.com/support/spec/oneplus-5t). Interested in a modern Android device running MicroG and F-Droid, I decided to try to build this device. The problem with most Android hacks is that they require unlocked bootloaders. However, locked bootloaders provide some security guarantees, and I wanted to try to build a solid device with this software.
15 | 
16 | I specifically chose the OnePlus 5 and 5T because of [this XDA post](https://forum.xda-developers.com/oneplus-5/how-to/guide-relock-bootloader-custom-rom-t3849299) that showed a way to allow for a locked bootloader with a custom ROM. Many Android devices will not allow this. It helps that the OnePlus line is extremely overpowered for its release date, cheap used from Android enthusiasts, has extreme enthusiast support, and (hopefully) will have support for a long time because of these things.
17 | 
18 | The tutorial above requires you to disable [dm-verity](https://source.android.com/security/verifiedboot/dm-verity) or [disable forced encryption](https://source.android.com/security/encryption/full-disk). We want to keep as many security features as LineageOS and MicroG allow, so we aren't going to do that. (Also, LineageOS 16.0 has issues with forced encryption being off. Flashing Magisk, the disable dm-verity/forceencrypt, and then attempting to encrypt failed on my OnePlus 5T.)
19 | 
20 | ## Known Issues
21 | 
22 | * Push notifications aren't working. It's likely a known problem in MicroG due to Google moving to FCM from GCM. [I have opened an issue](https://github.com/microg/android_packages_apps_GmsCore/issues/794).
23 | 
24 | ## Known-good images
25 | 
26 | Due to GitHub size restrictions, I've placed the known-good images used for this on DigitalOcean. You may use these to test to make sure that you have done everything properly, however, **do not use these in production** as they are likely to be old/out-of-date. These are unmodified from the original sources I downloaded them from.
27 | 
28 | * [VerifiedBootSigner-V8.zip](https://rarecoil.sfo2.digitaloceanspaces.com/ecophone/dumpling/known-good/VerifiedBootSigner-v8.zip)
29 | * [addonsu-16.0-arm64-signed.zip](https://rarecoil.sfo2.digitaloceanspaces.com/ecophone/dumpling/known-good/addonsu-16.0-arm64-signed.zip)
30 | * [lineage-16.0-20190506-microG-dumpling.zip](https://rarecoil.sfo2.digitaloceanspaces.com/ecophone/dumpling/known-good/lineage-16.0-20190506-microG-dumpling.zip)
31 | 
32 | 
33 | ## Preparing signing keys, Verified Boot Signer, and Recovery
34 | 
35 | You will need to sign your recovery.img and your boot.img for the bootloader to be locked. If you don't have keys, run `gen-signing-keys.sh` that exists in this folder to generate RSA keys for the signing process.
36 | 
37 | **To generate keys,** run `gen-signing-keys.sh`. This will use openssl to generate keys.
38 | 
39 | **To update the boot signer ZIP**, run `update-boot-signer.sh`. This will add your generated key files to Chainfire's boot signer ZIP.
40 | 
41 | **To sign recovery**, run `sign-recovery.sh` with the argument being the TWRP recovery you want to sign.
42 | 
43 | 
44 | ## Wiping the device in TWRP
45 | 
46 | Open TWRP, and go to "Advanced Wipe". Completely wipe **Dalvik / ART Cache**, **Cache**, **System**, **Vendor**, and **data**. This gives us a no-OS-installed device. Now, we flash our work.
47 | 
48 | ## Flashing
49 | 
50 | You can use `adb sideload` or MTP them to TWRP and install from there. I use ADB Sideload, so go to **Advanced > ADB Sideload** and swipe to start sideload. Then, from your computer, load the OS and the SU add-on. Then, flash with your custom VerifiedBootSigner containing your signing keys, and wipe cache at this stage as well just for good measure.
51 | 
52 | ````
53 | adb sideload lineage-16.0-20190506-microG-dumpling.zip
54 | adb sideload addonsu-16.0-arm64-signed.zip 
55 | adb sideload VerifiedBootSigner-v8.zip 
56 | ````
57 | 
58 | Reboot from TWRP **to the bootloader**, *not the system you have just flashed*, and lock the bootloader:
59 | 
60 | ```
61 | fastboot oem lock
62 | ```
63 | 
64 | The OnePlus will show that the "device has loaded a different operating system" and boot into TWRP recovery once. If you have a signature mismatch, you will see an error image that your device is corrupt. If so, re-sign your recovery, make sure your VerifiedBootSigner 1) contained your keys and 2) actually sideloaded, and then try again.
65 | 
66 | 


--------------------------------------------------------------------------------