GrapheneOS Default Network Connections

The testing methodology was practically the same as our LineageOS test.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of GrapheneOS (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS

Screenshot of Wireshark with DNS filter.

  • connectivitycheck.grapheneos.network
  • time.grapheneos.org
  • apps.grapheneos.org
  • releases.grapheneos.org

Total bandwidth sent and received for each IP

Some of the IP’s are used for different services. For instance the apps and releases sub domains use the same IP address.

  • connectivitycheck.grapheneos.network and time.grapheneos.org – 25.794 KiB
  • apps.grapheneos.org and releases.grapheneos.org – 39.468 KiB
  • Total – 65.262 KiB

Turning on GPS

After turning on the GPS toggle, there was a DNS query for

qualcomm.psds.grapheneos.org

This will download the files needed to speed up the GPS speed and accuracy. You can turn this off in the Settings -> Location -> Predicted Satellite Data Service (PSDS)

You can also enable/disable the Secure User Plan Location (SUPL)

You can read more about PSDS and SUPL on the GrapheneOS website https://grapheneos.org/faq#other-connections

Install GrapheneOS on Pixel 3

Installing GrapheneOS is pretty well documented on the website.

https://grapheneos.org/install

The following are mainly some of my notes. More detailed instructions are available at the above link.

OEM Unlock

Enable developer options

To enable the developer options on Android go to Settings -> About phone -> Tap on Build number until it says your a Developer.

Allow OEM unlocking

Settings -> System -> Advanced (Dropdown) -> Developer options

Allow OEM unlocking

Enable OEM unlcoking

Unlock Bootloader

Boot into the bootloader By

  • Powering down the phone
  • Start up while holding the volume down and power button

Run the following command from a computer with fastboot

sudo fastboot flashing unlock

The screen should change, hit the arrow keys to select Unlock the bootloader and confirm with the power button

Download and Verify Images

Download the proper factory image and files from https://grapheneos.org/releases

The name should say something device-factory-date.zip and device-factory-date.zip.sig
The .sig file is used to verify the image in the below section.

Verify the Keys

The commands to do this are from a Linux computer. There may be alternatives for Windows. You can technically skip this section.

Install signify

sudo apt install signify-openbsd -y

Download the public key from https://releases.grapheneos.org/factory.pub

Run and check that the key and the image match.
The following command assumes you are in the same directory as the image and factory.pub file.

sudo signify-openbsd -Cqp factory.pub -x blueline-factory-2020.03.04.16.zip.sig && echo verified

Install Factory (GrapheneOS) Image

Unzip the factory image and change directories into it

unzip blueline-factory-2020.03.04.16.zip && cd blueline-qq2a.200305.002/

Run the flash script to flash the image to your Pixel.

sudo ./flash-all.sh

Wait for it to flash, may take a long time.

NOTE: I ran into issues with the script as my version of fastboot was old. SEE PROBLEMS HEADING BELOW

Relock bootloader

Boot back up into the recovery menu and lock the boot loader with

fastboot flashing lock

Problems

  • I ran into issues running the flash-all.sh script. My version of fastboot was old. Ended up downloading a newer version and calling all the commands in the script manually.
  • Phone seemed to randomly time out or just hang when trying to run something over fastboot. Unplugging and plugging the phone back in and rerunning the command seemed to resolve the problem.