This is an effort to produce an AOSP based Android ROM with only the minimum binary blobs in order for all hardware to function.
Additionally, we seek to produce signed deterministic builds allowing for high accountability via redundant CI systems all getting the same hash.
Heavily inspired by the former CopperheadOS (RIP) project. We seek to provide a trustable path to free public AOSP builds patched for privacy and security.
Additionally, this build system is intended to make it easy to build, sign and publish your own custom AOSP rom from patches/configs/branding as you see fit.
A common build system/strategy for vanilla AOSP and AOSP forks also makes it easy to change between them as you see fit while still controlling your own keys making debugging and comparisons easier.
Public releases are pending sustainable/automated CI/CD work to do reproducible builds and multisig.
Testing is currently manual. "True" implies only all hardware and surface level functionality appears to work. E2E testing integration is WIP
Testers, builders, and hosting bandwidth needed.
Please join us on IRC: ircs://irc.hashbang.sh/#!os
Device | Codename | Tested | Verifiable | Secure Boot | Download |
---|---|---|---|---|---|
Pixel 3a XL | Bonito | FALSE | FALSE | AVB 2.0 | Soon™ |
Pixel 3a | Sargo | FALSE | FALSE | AVB 2.0 | Soon™ |
Pixel 3 XL | Crosshatch | TRUE | FALSE | AVB 2.0 | Soon™ |
Pixel 3 | Blueline | TRUE | FALSE | AVB 2.0 | Soon™ |
Pixel 2 XL | Taimen | TRUE | FALSE | AVB 1.0 | Soon™ |
Pixel 2 | Walleye | FALSE | FALSE | AVB 1.0 | Soon™ |
Pixel XL | Marlin | FALSE | FALSE | dm-verity | Soon™ |
Pixel | Sailfish | FALSE | FALSE | dm-verity | Soon™ |
Release hosting is sponsored by JFrog
adb devices
Note: Should return something like: "7CKY1QD3F device"
Extract
unzip crosshatch-PQ1A.181205.006-factory-1947dcec.zip
cd crosshatch-PQ1A.181205.006
Go to "Settings > System > Advanced > Developer options"
Enable "OEM Unlocking"
Unlock the bootloader via ADB
adb reboot bootloader
fastboot flashing unlock
Note: You must manually accept prompt on device.
Flash new factory images
./flash-all.sh
adb reboot bootloader
fastboot flashing lock
adb reboot recovery
adb sideload crosshatch-ota_update-08050423.zip
Each device needs its own set of keys:
make DEVICE=crosshatch keys
Build flashable images for desired device:
make DEVICE=crosshatch clean build release
Do basic cleaning without deleting cached artifacts/sources:
make clean
Clean everything but keys
make mrproper
Build a given device twice from scratch and compare with diffoscope:
make compare
Create a shell inside the docker environment:
make shell
Output all untracked changes in android sources to a patchfile:
make diff > patches/my-feature.patch
Update to latest upstream sources.
make config
Build all targets impacted by given change
make DEVICE=crosshatch release
Commit changes to a PR
Author or reviewer manually tests and documents in CHANGELOG
Reviewer security audits local/upstream changes and documents in CHANGELOG
Maintainer does signed merge of changes to master
Maintainer makes signed release tag. (E.g: "9.0.1_r37-hb37")
If you'd like to manage you own OTAs with your own signing keys, you can make the following changes:
patches/platform/add-updater.patch
and change os.hashbang.sh
to
whatever server you'll be placing these images.make DEVICE=<device-name> OTA_CHANNEL=stable build release
a. OTA_CHANNEL
will default to beta
build/release/*
to your server.Individuals that desire a device that favors privacy and security over easy access to proprietary software and services.
You technically can download/install most apps in the Play store but we of course can't recommend that. Some apps that have a hard requirement on Google Play Services can be tricked with [MicroG][mg] but this increases attack surface and though it will probably work in many cases, this is not supported or recommended.
Yalp store is an open source browser for Google Play Store and is available on F-Droid.
Also see "Alternatives" below to find alternatives for popular apps.
Most vendors don't release sources and tooling to reproduce their builds or do so with substantial delays. Many vendors even disable critical security features they don't understand and allow various Supply Chain Attacks. These are a headache to reverse engineer, test, audit, patch, and generally maintain.
Unless a vendor decides to produce source repos with at least the quality of AOSP we will only support AOSP supported devices which today means the Pixel series of mobile handsets.
Pixel devices start at $100-200 and we will try to maintain support for at least one device at this price point to keep the project accessible.
As of the time of this writing most popular ROMs are virtually unusable without Google Play Services and the proprietary parts of android. They also tend to make changes that make taking upstream source code time consuming thus often delaying security updates.
Secondly virtually all roms sign using "test" keys, leaving all of them vulnerable to Evil Maid Attacks and thus worse-off security wise than stock Android.
Third, builds are almost never easily reproducible if at all meaning that a single coerced maintainer could slip in a subtle flaw without very little chance of detection
Lastly, they almost all source binaries from sketchy locations like the infamous "TheMuppets" repo which an unknown number of people have push access to. This sort of activity acts as a security SPOF for popular roms.
Trust, but Verify. While we may be upstanding people today, we might be coerced tomorrow by a state actor that wants access to the device in your pocket. You can run our reproducible build systems yourself and sound the alarm if the builds we produce don't line up with the published source code.
The more people that verify, the less reason a bad actor has to try to attack maintainers. Maintaining a system that requires zero trust on the maintainers is a core part of our plan to be resistant to Australia-style strongarm backdoor requests.
Giving up Google Play services and stock proprietary applications is a big ask for a lot of people that have grown to rely on particular apps for their lifestyle.
To address this consider looking at some of the below alternatives for popular applications.
Some things won't have alternatives and in those cases you will have to decide to sideload a specific proprietary APK via Yalp Store or live without that app.
You may also find popular travel apps like Kayak, Uber ans Lyft have very usable mobile webapps you can pin to your desktop for a similar experience to a native app.
App | Alternative(s) | Notes |
---|---|---|
Chrome | Chromium, OrFox | Chromium is built-in to #!os |
Play | F-Droid, Yalp | F-Droid is built-in to #!oa |
GMail | K9Mail | |
Drive | Nextcloud | |
Music | D-Sub | Will need a Subsonic capable server |
Maps | OsmAnd~ | |
Auth. | Yubico Auth. | |
Hangouts | Weechat, Riot.im | |
Voice | Ring | |
Youtube | NewPipe, SkyTube |
Use at your own risk. You might be eaten by a grue.