Restoring Stock Android from GrapheneOS & Rant
What!? Restoring stock Android on GrapheneOS? BlASphEmY!!!1!!1!1!!
But in all seriousness, a legitimate reason for restoring stock Android on GrapheneOS is that you may have to return or exchange a Google Pixel device with a hardware defect. (Exercise your consumer right to do so!)
Also, selling your Google Pixel to a non-technical customer, who would be better off using stock Android, is another valid reason to do this.
The TL;DR Starter Kit
The process is fairly quick. I think there may be fewer steps because there's no OpenBSD signify verification.
The most I saw from a quick glance was SHA256 checksums, which is alright. (That is 1 more than what you get when you flash the LineageOS Recovery .img, which is exactly 0 checksum...)
If you are “old schooled” and can't break your habit of using the CLI when installing custom aftermarket Android OS's (or feel more comfortable with being able to see all commands and all scripts and files/objects that are being used and interacted with, which doesn't really seem possible with the web installer method), then it's technically true that the CLI guide for GrapheneOS will be used to flash stock Android.
However, just remember the additional step of wiping the non-stock Android Verified Boot key before relocking the bootloader on stock Android.
(I honestly don't want to know what happens if you neglect this step.)
However, you need the stock Android image to flash! You can find them directly from Google's Developer area. Don't click “Flash” in the correct .zip row — instead, use “Link” to directly download the correct .zip archive for your corresponding compatible Pixel device.
My Other Notes
The device I'm working with is the Pixel 5a.
What I hate about GrapheneOS's CLI instructions is that no where on that pages does it tell you where to find the official stock Android images from Google.
If you examine the corresponding section of reverting back to stock Android for the WebUSB installer, there is slightly more helpful hint:
Installation of the stock OS via the stock factory images is similar to the process described above but with Google's web flashing tool. [Emphasis mine]
Searching Google's web flashing tool on DuckDuckGo got me (DuckDuckGo quality results and) lead me to a page called the Android Flash Tool.
However, my intuition told me something wasn't quite right.
When I clicked on the following DDG search result, I found a tech news article explaining that the Android Flash Tool is used to flash AOSP onto Pixel devices for app development and other general Android development.
The last paragraph told me where I should be headed:
Importantly, the tool does not offer an easy way to flash your phone back to a normal factory image. Thankfully, this can still be done from your web browser using the Google Pixel Repair tool, but for now this tool is not available in all countries. [My commentary: probably due to U.S. trade embargoes Google has to comply with.] Be sure you’ve backed up your files and are able to access the repair tool before playing with AOSP’s Android Flash Tool.
Ok, so now we're talking — I go to the Google Pixel Repair page to discover a page that begins with “Welcome to Google Pixel Update and Software Repair”.
Alright — if I have GrapheneOS installed, this is basically the same as soft-borking a new Google Pixel device, right?
At the bottom of this page, there is a small message that says:
Other available update options: Install fingerprint calibration software
Oh, ok. So that's what Hugh Jeffreys covered in the Pixel 6 screen recalibration video.
Back when I watched that video, I thought such a web-based tool made sense, because of the WebUSB Installer for GrapheneOS.
Now, everything is starting to come full circle — none of this technology development was acting in a linear and monotonic progress dynamic. Instead, it was circular, just like the storytelling style in Mr. Robot where the story progresses, but it often flashes back (to varying lengths of time) to fully flesh out the story. (Sort of like the true nature of paradigm shifts in The Structure of Scientific Revolutions by Thomas Kuhn: science is not actually converging linearly and monotonically onto the truth but instead depends on waking up from infinitely nested dreams like in Inception...)
Even though I had found Google's Pixel Repair web installer, I didn't want to trust it.
Instead, I went back to see if CalyxOS had any information.
In fact, I was pleasantly pleased to find that CalyxOS provided direct links to the WebUSB install pages on its page for returning to the stock OS.
However, I was not able to use the direct URLs to the Google Pixel images because they were behind (October 2021 old).
(This is probably because CalyxOS hasn't gotten to Android 12 yet — I heard something about some flare up in GrapheneOS drama again on Twitter back when this happened regarding how Graphene's Android-prepare-vendor for Android 12 must not be used by CalyxOS, since strictly speaking that GrapheneOS repo itself had no software license or whatever.)
So, since I'm using GrapheneOS, I go back to the Releases page and take a close look at the Pixel 5a (barbet, which is... a breed of dog???) and cross reference the information listed on Google's official images for the Pixel 5a.
Since I'm doing all of this a few hours right after the 2022010500 tag was put in my RSS reader, so I won't be “greedy” with my “recency bias” and pick the latest non-carrier locked version: “12.0.0 (SQ1A.220105.002, Jan 2022)”.
Instead, I examine the stable channel for the Pixel 5a on GrapheneOS and see SQ1A.211205.008.2021122018. The suffix of 2021122018 refers to the year 2021, the month (12) and day (20) of December 20th, and 18 probably refers to the 18th hour of a (24-hour) day, so in the hour of 6PM.
This leaves me with the first half, which is present on the Pixel 5a image section: SQ1A.211205.008. (Actually, for this specific case, the trailing .008 in the first major prefix was only used by the Pixel 5 image for Android 12 with the 2021-Dec-05 security patch.) I have yet to determine what the trailing .008 means, or what Q1A means. I only know that the first letter, S, corresponds to the current Android version 12 or S.
GrapheneOS: How Google Pixels Should Be With No Play Services
With that all out of the way, I'm amazed at what GrapheneOS has achieved, basically two years after officially starting in mid-2019.
The CameraX app shows that all of Google Camera doesn't have to be locked away as a closed source and proprietary app — well, at least its most “basic” features.
For whatever reason, Google promotes its own weird take on “open-source”: you can look, but you can't touch. I remember a consumer tech news article describing this like a museum, but I thought it was more like a stripper mode of operation. (I have got to get a better metaphor that is college classroom appropriate...)
If GrapheneOS could get a better gallery app, a compatibly licensed sound recording app (because Micay is adamant about using the MIT license for GrapheneOS's apps), the sandboxed Google Play Services installation packaged as a single unified APK (instead of 3 separate APKs, with the third APK being a split APK) in a GrapheneOS “app store”, and built-in work profile; I would say that GrapheneOS blows anything that LineageOS has to offer... (though I do miss having the Caffeine quick settings tile, Priority/Alarms Only/Total Silence profiles in Do Not Disturb mode, using the volume keys to move the text cursor around, swapping the Recents and Back buttons in 3 Button Navigation, and customizing the Home Screen without resorting to something like Nova Launcher or whatever.)
In this video (since no other video I've seen so far has attempted an overview explanation of why the Pixel 6 series phones are more secure than all prior Pixel devices, without devolving into a Daniel Micay technical mumble jumbo jargon rant), the hardware is built pretty well (except with very hard-to-find information on the Tensor Security Core, meaning it is somewhat of a black box). I mean, even the Titan M chip is sort of a black box.
Regardless, this much publicly information from Google's security implementation on its smartphones is miles more transparent than any of the “”“security”“” on iPhone from Apple — to the point where almost I want to say that people using iPhones deserve to get pwned by surveillance as a service exploits, such as Pegasus from NSO Group, and Apple's own built-in CSAM scanning.
The smartphone hardware from Google is built great architecturally and consumer design-wise (and I was shocked to learn that Google designs its own server mainframe hardware in-house), but Google's software is a privacy nightmare (because I guess that's a maximal reductionist's take on what an OS is).
Fortunately (to the point where this is a miracle), because Google has invested so much in good Android hardware security, flashing an alternate Android OS and relocking the bootloader is possible. (So much for having a $1,000+ glass brick from Samsung, with its weird e-Fuse and all that unnecessary jazz.)
Stupidity Rant
So, maybe the future isn't totally screwed — yet — since Google has an inherently better approach to hardware security (since Google's forte is actually security — not Apple's, just look at its Kaczynskian socialized and artificially obsolete hard approach to “”“durability”“”) but I'd like to see Precursor from the Betrusted project gain more serious traction, which adopts the same mindset of users re-owning their respective end devices to establish the ultimate of security. Sort of how the Insurgo PrivacyBeast X230 embraces this approach.
No, not like how Librem does any of this, even if anti-interdiction and posts from the CSO keep trying to convince you to buy Librem 14 to install Qubes OS, along with a guest post. That hardware is darn too expensive. Librem is literally what Apple would be if it went full FOSS... though at least Librem's hardware is user serviceable and repairable?
Though I don't know how much Daniel Micay's yelling at how insecure and trash the Librem Laptops' updatable EC really is true. I would trust Micay's expertise on Android OS, firmware, and hardware; but I don't know about his advice opinionated takes on desktops or laptops — no way in Hell will I ever run Microsoft Windows on bare metal ever again (taking up at least 4 GB of RAM or 50% of your RAM, whichever is greater), even if it meant I can keep Secure Boot on (unless it was for an extremely inflexible situation, likely for school and/or work). I'd rather go full Louis Rossmann Rambo on a ThinkPad X230 from eBay, flash coreboot myself with that flashing board and whatever alligator clip style wires are required to do this, and fly to Germany right now during this pandemic (yes, despite Omicron) to buy 2 of a Nitrokey Pro 2 or Nitrokey 3A in person than to go back to using Windows on bare metal for “maximum security”.
Who the frick cares about a GPU firmware update, which you can only obtain when using Windows? With the Bitcoin maximalist tech fuckbois destroying any public credibility in cryptocurrency while plundering all GPUs on all consumer accessible store shelves and the seeming perpetual general electronic chip shortage (whiterose, is that you IRL seizing all the cobalt in the Congo for China in 2021? Do Dark Army-like entities actually run the world?), practically you will empirically and inevitably end up purchasing a GPU with the latest and coincidentally last firmware update anyways.
(Man, you can tell I hate the GrapheneOS Matrix Room moderators — trust me, these people are just like Isaac Newton at best: they are smart people, but horrible to hang out with.)
There should be a hardware security audit, akin to the level of how Cure53 audits are done for various online apps, that would be a fair mediator on what is a secure laptop or desktop. This would mean no other poor soul out there would have to suffer from being scarred by the GrapheneOS Twitter account yelling at whoever Micay feels like in the moment.
And no, before you say that Micay doesn't view Qubes OS very positively, it's not like there is anything else for Qubes OS to use as a Xen Hypervisor, with full Qube template functionality, besides Linux. What am I going to use — Fuchsia? That OS doesn't actually exist as an OS you or I could install as a “normal person”. (It's true that Linux, Unix, or *nix was designed to be a multi-user server OS back in the 1980s and the fact that you can make anything from Gentoo to Pop_OS! into a personal computer OS in 2022 is a miracle. Due to this, there's probably many things I know nothing about that real system architects would define away, if they had to “do over” Linux for personal computers today from the ground up again, such as lots of spaghetti code in the Linux kernel and the number of lines of code growing ever more. Rewrite everything — especially in C — into Rust is probably a correct item on that never ending laundry list, even if that notion becomes a meme.) As far as I'm concerned, your “case” is closed and we're moving on.
I would take any suggestion from Snowden (which is how I discovered GrapheneOS in the first place), but I think that would be objectively too dangerous for him to disclose, both for himself and for anyone who actually tried to follow his laptop/desktop advice.
Let's hope people like Andrew “bunnie” Huang can have their projects (such as Precursor) accelerated so there are more tech in the world making more trustworthy technology moving towards a trustless model — and those people can actually talk to normal people. (Just look up the replies from Micay on the Google Play Store release of Secure PDF Viewer to user reviews — I know we're not selling a “product” in the strict proprietary sense of the world lead by Thomas Edison's horrible example over 100 years ago, but these developers need to learn “customer service” skills.)
A Cautionary Note
As a good practice, I probably should not directly link to explicit download URIs and instead lead to more generalizable “landing page style” URLs (since would not be helpful in a scalable way, let alone archiving copyrighted official Pixel images — which Wayback Machine could outright refuse to or might remove it due to DCMA filings, and archive.today can't properly display files like that).
However, I will have to go back and make sure “acceptable” archives of any source I've linked to is properly saved in both in the Wayback Machine and in archive.today wherever possible.
Google: You Are the New (Age) IBM, But Please Don't Go There
Here is how I'm going to end this post.
In terms of actual sales of devices, Google's Pixel line has been disappointing (if the only goal was for Google to supplant Apple in a realistic amount of time with respect to sheer sales volumes of smartphones and the total smartphone market share).
Well, this is what I've heard. Allegedly, even from Apple, actual sales numbers are kept a secret. However, this won't stop others from using other means to estimate these “hidden” sales numbers.
I won't do “number crunching” (because it's very unpleasant to talk about statistics in English writing without a printout of the raw data in a presentable manner), but it's safe to say that even a very rough estimate would indicate that the Google Pixel isn't dominating the smartphone industry in terms of sheer numbers of handsets compared to Apple's iPhone.
Ironically, the only good thing about this situation for Google is that is that the Pixels are lower on everyone's radar when it comes to major threat actors creating malware or just messing around with exploits in general (that aren't already inherent to prevalent and widespread technology — for example, if you absolutely 0 chance of your smartphone spying on you on the hardware level and you don't trust your hardware, then you have to remove all cameras, microphones, accelerometers, and gyroscopes; RIP auto-rotation of the screen — I don't want to think about if even manual rotation will work in Android as that point).
This makes Pixel devices much less of an attractive target for malware creators, such as NSO Group, while the iPhone is more attractive because “everyone important” (so most models, business people, and journalists) will be using iPhone and the net payoff of developing an iPhone exploit is much more worthwhile in an economic standpoint than it is for any Pixel device. This is why people like Snowden have said Android is “accidentally” more secure against spyware like Pegasus — because Android handsets overall are heterogeneous (or “fragmented”, as the Kaczynskian socialized leftist Apple sheeple say), for better or worse. Meanwhile, iPhones are more or less a monoculture — so that would mean a hypothetical genetically engineered disease (or even a natural one), like the one in the second Sapienza, Italy mission in Hitman (2016), can kill so many more people who are essentially genetically inbred rather than a bunch of genetic mutts. (This is why GMO crops die off IRL — if they all have the same fatal flaw, then they pretty much all die together. Way to go, Apple, putting all of your eggs in one basket. In addition to actually popularizing the embracing of the Apple of Sin in the Garden of Eden more than Satan himself, Apple is subliminally promoting eugenics and a “master race” of superficially leftist authoritarians by approaching fascist totalitarianism from the “other” end of the connected infinity on the albeit grossly simplified 1-D left progressive vs. right conservative political spectrum line.)
(Gosh, I hope I never work in a Silicon Valley-eque company, because I'll never get hired or get fired by being “cancelled” on social media — the most trustworthy and “official” place ever to get the most “accurate” account of any situation — if their Kaczynskian socialized HR departments ever discover this blog...)
It'll take 50 years for Pixels to ever catch on when it comes to Google competing with Apple (if either company is still around in 2080), but don't sell off or shut down the Pixel smartphone line.
Just like how IBM disrespectfully sold off ThinkPad to Lenovo and the ThinkPad line's innovation has slowly trickled away like the water in the area of Texas known as the Dust Bowl today, I think Google is hypothetically at risk of either killing off or reducing the Pixel line to nothing.
In fact, the website Killed by Google features Project Ara (which was supposed to be help right to repair and increase modularity in smartphones — instead, it was slandered by some socialized leftist idiot writer in an American Scientific article; which is I will never trust Scientific American ever again, because the word “scientific” means something is attempting to be like science but can never be science, and isn't the same as an actual and proper “scientist”, such as the very different magazine American Scientist) and Google Nexus.
Google Nexus was good and always allowed bootloader unlocking, but that was the heyday of 2014-2016, and 2022 is very different than 2015 — despite the fact that Mr. Robot's entire storyline is stuck in the year 2015 and in a slightly alternate version of the real world. So, running around with TWRP on a Samsung Galaxy S5 with an unlocked bootloader is cool and top of the line in 2015 standards, but should honestly only ever be done now on a rooted OnePlus One with Kali NetHunter installed and a custom kernel (or some other currently supported and recommended Android device).
Unless you need the hardware flexibility of LineageOS (or the smaller proper subset DivestOS — I think), then Android users trying to be kosher about system-level Google Play Services shouldn't settle for an Android device with dropped OEM support in 2022 (and if you can afford it).
IBM also disrespected its lineage of Model M keyboards, though luckily some sane people formed Unicomp to save the Model M keyboard's legacy.
However, the playing field of smartphones is much different in character than laptops and PCs in the 1990s through 2000-nots. No one can predict the future, but Google remember this: the Google Nexus line was killed off, along with the headphone jack in the flagship Pixel line to get to the Titan M chip with Tensor Security Core. This took 6 whole flagship generations (and 3.5 “budget” generations of the Pixel a line). You better not remove the headphone jack in whatever was supposed to be, or will be, the Pixel 6a series. I can deal with the punchout front facing camera monkey business, but the headphone jack is going to be the last straw on the camel's back for me.
Only time can tell and will tell, but I also do know that the flagship Pixel line has never sold as many handsets as the “budget” Pixel a line, so... hopefully Google keeps assigning the 1st world problem “stigma” of headphone jacks with “budget” phones.
I've already written way too much due to scope creep. I've gotta take a break...