[9] Glassrom

  1. anupritaisno1
    KitKat Mar 13, 2019

    anupritaisno1 , Mar 13, 2019 :
    This ROM contains dm-verity
    This ROM will encrypt your device by default
    This ROM will replace your current recovery if you do not disable verity
    Please be careful before flashing
    We are not responsible for anything that happens to your device, your data, people next to you, people on the opposite side of the earth or anyone, including you for the matter. You are choosing to do these modifications

    Glassrom for op3 and 3t

    Download links:
    Download from glassrom server (no logging) (ipv4 and ipv6):
    For ext4: https://glassrom.pw/op3_ext4.zip
    For f2fs: https://glassrom.pw/op3_f2fs.zip

    Download from CDN (see privacy and GDPR notice below) (ipv4 only):
    For ext4: https://cdn.glassrom.pw/op3_ext4.zip
    For f2fs: https://cdn.glassrom.pw/op3_f2fs.zip

    Note that your /data and /cache MUST have exactly the same filesystem as the variant you download. You cannot have /data as ext4 and /cache as f2fs or the other way around. This is NOT supported

    Build verification: https://github.com/GlassROM/glassrom-verification

    Verifying builds: use the build verification link to verify your download. The hashing algorithm is sha2-512. The commit is signed with an x25519 private key. Glassrom is signed with a 2048-bit e3 RSA key with sha2-256 as the hashing algorithm. The glassrom server discloses DANE TLSA records and has certificate transparency, HPKP and CAA and only replies over TLS 1.3 with a secp384r1 private key. The domain supports DNSSEC

    Privacy policy:
    Glassrom collects absolutely zero data

    Lineageos might collect some data like analytics. Read their privacy policy at the link below

    We use bunnycdn which might collect some data. Read their privacy policy here: https://bunnycdn.com/privacy
    Note that if you access the server with glassrom.pw you bypass bunnycdn and connect to the server directly. If you don't want to use the CDN use https://glassrom.pw which is a direct connection to the server without any middleman CDN

    Kernel hardening: selinux compiled in release mode, unsafe configurations turned off, enabled PAN emulation, enabled yama with ptrace scope 3, kspp patches applied
    A completely clean kernel with no "optimisation" or other nonsense
    Tripndroid I/O scheduler is used as the default
    Upstreamed kernel to 3.18.137
    F2FS backported from the latest 5.1-rc1 release
    P gestures and navbar are enabled by default
    Substratum exposure support
    Aggressive battery optimisation*
    Maximum permissible password length is 64 characters instead of 16
    Aggressive AOT compilation**
    Includes both microg as well as Google apps packages. Full freedom of choice. Signature spoofing is supported. Installing proprietary webviews even when using microg is supported. Open source/self-built webviews need to be put into /system/app for proper functionality. Minimal gapps packages can be flashed as well as opengapps super
    Light optimisation. Utmost care has been taken to ensure that optimisation doesn't break anything
    Kernel compiled with totally stock GCC and ROM compiled with AOSP clang. No gimmicks
    Full resize support for encryption
    Support for booting off locked bootloaders
    User build signed with release-keys. Release-keys ensure authenticity and security. User build removes a lot of debugging code and enforces stricter and more secure defaults
    Did we mention that we collect absolutely zero data and have strong data protection policies for any data you willingly agree to submit through us through our support channels

    *Agressive battery optimisation shuts down the CPU during doze. Alarm apps and all apps that implement GCM will continue to receive notifications. Implementation is tightly integrated into doze. Whitelisting an app from doze will also whitelist it from agressive battery optimisation. Aggressive battery optimisation never kills or moves apps out of RAM. It can achieve as low as 1% battery drain overnight (as per tests)

    **This feature improves performance immediately on first boot. As a consequence the first boot takes 50 minutes however this optimisation seriously improves both performance as well as battery life

    Instructions: flash the variant you want
    Flash anything else that you want
    If you want to boot with dm-verity tick "mount system partition read-only" before flashing the ROM and don't flash anything after flashing the ROM

    Installing updates:
    Dirty flash the build. No need to wipe caches or any other nonsense
    Remember to reflash all your mods (including gapps) since backuptool is not present
    Update firmware as required

    Stuck on oneplus logo: dm-verity failure. Make sure you ticked mount system partition read-only and didn't flash anything after the ROM or use a dm-verity disabler like https://forum.xda-developers.com/android/software/universal-dm-verity-forceencrypt-t3817389

    Boots, get stuck on bootanimation then reboots to TWRP
    This happens if glassrom fails to reserve space for the crypto footer. Space will be reserved even if you disable encryption. Format data partition (not wipe) using dianlujitao's TWRP if this is the case

    Decryption unsuccessful error:
    This can happen if you use the F2FS variant and flash a custom kernel. Glassrom uses the latest F2FS and enables all new F2FS features very quickly. If your custom kernel does not support the same features as glassrom's kernel them you'll run into this error
    This can happen if you flashed a variant but have the other filesystem present on the userdata partition. Format your filesystem correctly if this is the case
    Remember that data recovery is possible through TWRP

    Boots for a long time
    This is a feature. First boot can take 50 minutes. If you want to boot faster then don't wipe dalvik-cache in recovery

    TWRP flashing errors:
    Error codes are useless. Read the message above the error

    Sources: https://github.com/GlassROM

    Flashing instructions: just flash it in your recovery and flash whatever else you flash
    For TWRP I recommend dianlujitao's unofficial builds but you can use any TWRP and the result will be the same
    Latest OOS firmware needs to be flashed
    Unlike other ROMs there is no need at all to wipe cache or clean flash new builds. In fact it is advised not to do so while flashing an update

    The following is not allowed when reporting bugs: xposed, custom kernels, anything other than gapps that is installed to the system and magisk

    An exception is made for xposed - merely having the framework installed causes no issues. While asking for support only xposed modules need to be disabled. The framework itself can be kept installed

    Magisk is strictly forbidden while submitting bug reports. Bug reports made with it installed will be rejected and I won't even read your log. If you have magisk uninstall it and clean flash the ROM before making bug reports

    Please join the discord channel for support: https://discord.gg/UF9qnts
    Note: an admin will message you in the vetting channel to confirm you're not a bot before you'll be allowed to send messages so be patient after joining

    Locking your bootloader:
    This is dangerous. Glassrom takes absolutely zero responsibility if you try this

    Note: currently the lineageos recovery is not available so there is no way to update glassrom on a locked bootloader. Upgrading glassrom on a locked bootloader will be possible once lineage recovery has been finalised

    Flash glassrom and preserve dm-verity
    Boot and interrupt the boot process
    Boot to recovery. Make sure it has been replaced with glassrom's recovery
    Boot to fastboot and issue this command
    fastboot oem lock
    Caveats: currently there is no way to format the data partition correctly. This will be fixed once lineage recovery is up
    Last edited: Apr 13, 2019

    Starcommander and Max.Mar like this.
  2. anupritaisno1
    KitKat Mar 14, 2019

    anupritaisno1 , Mar 14, 2019 :
    Yes I know this ROM was just released and here's an update already


    More optimisation
    Added upstream commits from lineage

    Starcommander likes this.
  3. anupritaisno1
    KitKat Mar 19, 2019

    anupritaisno1 , Mar 19, 2019 :

    Upstreamed F2FS to 5.1-rc1
    F2FS is reenabled (but is on a separate build)
    Enabled privileged access never emulation (PAN)
    Made kernel text and rodata read-only
    Kernel hardening (based on public grsecurity patches)
    Fixed CVE-2019-8912 (severity rating by security researcher: anupritaisno1: HIGH, Atmos: CRITICAL)
    Fixed a serious bug where using gestures when the phone has a screen lock would cause a system crash
    Tripndroid is now the default I/O scheduler
    Upstreamed lz4 driver. You can use a kernel manager program to manually use lz4 compression for zram. Other than that this currently has no use but it might in the future
    Wireguard support. Note that ipv6 support on android is unreliable with the kernel module so confirm with ipv6.test-ipv6.com to make sure you aren't leaking ipv6 traffic when using wireguard. Note that glassrom does NOT recommend disabling ipv6 because you're literally cutting yourself off from a part of the internet by doing so
    Kernel debugging is reenabled
    Page table isolation (you might know it as KAISER) is enabled even if our CPU is not vulnerable to meltdown as it protects against several vulnerabilities other than meltdown
    Upstream lineage changes: all the changes already included in the latest lineage nightly

    The update adds 2 zips: op3_ext4.zip and op3_f2fs.zip
    Both will only support one filesystem and not the other
    If you use ext4 then /data and /cache MUST be ext4
    If you use f2fs then /data and /cache MUST be f2fs

    Starcommander and Max.Mar like this.
  4. cmitchellshaw
    KitKat Apr 3, 2019

  5. anupritaisno1
    KitKat Apr 3, 2019

    anupritaisno1 , Apr 3, 2019 :
    Very nice

    Installation is a little complicated and booting with a decrypted data partition currently has issues

    Starcommander likes this.
  6. cmitchellshaw
    KitKat Apr 3, 2019

    anupritaisno1 likes this.
  7. anupritaisno1
    KitKat Apr 3, 2019

    anupritaisno1 , Apr 3, 2019 :
    Android is meant to be used encrypted

    When you boot without encryption /data is mounted very early during boot instead of being mounted later on

    That sometimes seems to trigger bugs. Also, I've seen many devices where stuff like camera breaks when decrypted. This is because android is supposed to restart the framework and HALs after successful decryption but if data is not encrypted this restart never happens

    Decrypted devices reboot to TWRP using the rescueparty "wipe data prompt" command for some reason. It might be a bug in the disabler tool itself but no clue right now

    If forced encryption is not removed it encrypts just fine and boots normally

    To make matters worse some users face the issue on decrypted devices while some don't at all. This makes it harder to narrow down the exact cause

    There are no issues if the device is already encrypted or if forced encryption is not disabled and glassrom is allowed to encrypt at first boot

  8. cmitchellshaw
    KitKat Apr 3, 2019

    cmitchellshaw , Apr 3, 2019 :
    Pardon this if it shows my ignorance, but once OP releases the Pie update, will installing your ROM encrypted be easier/more stable?

  9. anupritaisno1
    KitKat Apr 3, 2019

    anupritaisno1 , Apr 3, 2019 :
    OEMs test their devices encrypted anyway so as per me at least yes using encryption would definitely be more stable. Not just on glassrom but any ROM for the op3

    cmitchellshaw likes this.
  10. cmitchellshaw
    KitKat Apr 4, 2019

    cmitchellshaw , Apr 4, 2019 :
    That's what I thought.

  11. anupritaisno1
    KitKat Apr 13, 2019

    anupritaisno1 , Apr 13, 2019 :
    Merged LA.UM.7.5.r1-04500-8x96.0 from CAF
    WiFi driver updated to LA.UM.7.5.r1-04500-8x96.0
    Linux 3.18.138
    Upstream changes from lineageos common kernel
    New USB devices are now denied by default
    Updated security patch string to 2018-04-05
    Upstream lineageos changes

    Known bugs: lineage recovery is still a little buggy. There are reports that it doesn't boot. This will be fixed in a future release.
    Edit: this bug has been fixed upstream. The fix will be added in a future release

    Verifying builds: https://github.com/GlassROM/glassrom-verification/commit/a2ea205956518fbfd7821149b2229b121888cdef

  12. anupritaisno1
    KitKat Apr 13, 2019

    anupritaisno1 , Apr 13, 2019 :
    Guys we have a CDN for downloads now

    The glassrom server often has poor reach in certain areas of the world. This means that even if the server has a gigabit link you'll see bad downloads because your ISP doesn't have a proper link to us. This only happens in certain parts of the world

    The CDN aims to resolve these issues. It reaches where the glassrom server cannot and gives faster download speeds. If downloading directly from the server is slow try the CDN

    The CDN provider doesn't support ipv6. Unfortunately if you're on an ipv6-only endpoint you'll have to directly use the glassrom server for the download

  13. anupritaisno1
    KitKat Apr 15, 2019

    anupritaisno1 , Apr 15, 2019 :
    Fixed the issues with lineage recovery
    Updated GPS driver to LA.UM.7.5.r1-04500-8x96.0
    Added some additional April security patches Google decided to push during the last moment
    Fixed some issues with encryption
    Reduced initial boot time
    Removed aggressive task scheduling
    Improved memory management
    USB devices are no longer denied during boot
    Additional hardening applied

    Verifying builds: https://github.com/GlassROM/glassrom-verification/commit/f596520da647e93a5cbe6593348ca4d95e169e0b

  14. Max.Mar
    Jelly Bean Apr 15, 2019

    Max.Mar , Apr 15, 2019 :
    I would like to try out the ROM but because of two reasons I can't
    1. OOS Pie is just around the corner.
    2. My OP3T has gone to my wife sometimes back and she is using it as her daily driver and I am not allowed to experiment anything on that.
    But good luck to your project.. Hope it will reach new heights.

    Edit-- if you have any plans to bring something for OPO then surely I would like to give it a try as my OPO is still doing well and kicking.
    Last edited: Apr 15, 2019

    Bintang12 likes this.
  15. anupritaisno1
    KitKat May 18, 2019

    anupritaisno1 , May 18, 2019 :
    Linux 3.18.140
    Merged latest CAF tag and WiFi driver (LA.UM.7.5.r1-04800-8x96.0 or LA.UM.7.6.r1-04800-89xx.0)
    F2FS upstreamed to 5.2-rc1-3.18
    Port of hardened Linux patchset
    FORTIFY_SOURCE=1 is now enabled for the kernel
    Kernel compiled with -fstack-protector-all to protect against buffer overflow vulnerabilities
    All current networking updates from lineageos common kernel
    May 5 2019 security patch
    Ext4 and f2fs are unified. There is no need to flash separate variants
    Wireguard has been removed
    Improvements to gaming performance

    Verifying builds: https://github.com/GlassROM/glassrom-verification/commit/9f107fc14a1d6703c9f1adc7ade464befb047561

    Note that if you use enhanced TWRP you must update glassrom before you update the TWRP. The flash order matters

  16. Bighnesh
    Cupcake Nov 18, 2019