Tag Archives: pixel

LineageOS Default Network Connections

Posted on by
Reply

This was a fairly simple test to see what network connections a fresh LineageOS install on a Google Pixel 5 makes. During the initial setup, GPS was disabled. After we set it up and got a base line, we turned GPS on to see what DNS requests it made.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of LineageOS 20 (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS
  • GApps were not installed.

Fresh Install Network Requests

After setup was complete, we connected the Pixel 5 to the PC running NetworkMiner and Wireshark. It immediately made a handful of requests to the following 5 domain names

  1. www.google.com
  2. connectivitycheck.gstatic.com
  3. time.android.com
  4. g.co
  5. firebaseinstallations.googleapis.com

connectivitycheck.gstatic.com is used to detect if the current network has internet and also to detect if there is a captive portal that you need to log into.

time.android.com would be to check the time and make sure it is correct.

Not sure what the extra 3 are used for. It is possible that firebaseinstallations.googleapis.com is used for the Android System Intelligence, or some other app that comes by default on LineageOS.

The following NetworkMiner screenshot shows all the IP addresses that were returned for the DNS queries. Note that a DNS query can return multiple IP addresses for a domain name, and then the device only use one of those IP addresses to transmit traffic.

A couple of normal network broadcast, multicast, and gateway addresses are blurred out as they are normal for devices on a local network.

Here is a Wireshark screenshot for all the DNS requests.

Total bandwidth sent and received for each IP

Using Wireshark, we were able to get a total amount of data sent and received for each of the domains.

  1. www.google.com – 12.976 KiB
  2. connectivitycheck.gstatic.com – 1.497 KiB
  3. time.android.com 270 bytes
  4. g.co – 21.883 KiB,
  5. firebaseinstallations.googleapis.com – 16.225 KiB
  6. Total for Pixel 5 – 52.851 KiB

Turning on GPS

Turning on GPS immediately led to a connection to xtrapath5.xboxprod.izatcloud.net.

The four lines are just different IP’s for the same domain.

From the Location settings, we can toggle on or off the “Use assisted GPS”.

The settings say the following about Assisted GPS “Download satellite assistance data from the internet which can greatly improve the GPS startup performance. For emergency calls, assisted GPS is always allowed”

Essentially, it will download some files that help your phone find satellites faster which will get you a faster GPS lock. Without it, it can take awhile to find your position.

During the initial setup (First screenshot below), you can toggle on/off Assisted GPS. By default, Android System Intelligence and the Browser are allowed to use Location.

Hopefully that is a helpful overview of the default LineageOS network connections and what some of them are used for.

The acropalypse Vulnerability

Posted on by
Reply

First what is acropalypse?

Acropalypse is a vulnerability in Google’s markup editor (and Windows Snipping Tool). It allows an attacker to recover parts of a cropped or marked up image.

https://en.wikipedia.org/wiki/ACropalypse

There are a couple specific steps you have to follow for the bug to happen.

  1. Take a screenshot
  2. Save screenshot
  3. Crop or markup screenshot in Google Markup or the Windows Snipping Tool
  4. Save screenshot with the same name as original screenshot

The bug is when you save the cropped screenshot with the same name, it overwrites the original file, but the markup tools are not resizing or truncating the file. Meaning that there is extra data in the screenshot.

For example in the following two screenshots, notice the size and dimensions

Here is the first screenshot

The second screenshot shows smaller dimensions because it was cropped, but the size is still the same.

Am I affected?

Potentially. Most images are reprocessed if they are being uploaded to a web service. Discord only started doing that in January. So if you have images on Discord before then, you may want to look into that.

You also have to specifically overwrite the original screenshot image. If you don’t normally save the image first you may be fine. Never hurts to check though.

https://acropalypse.app/

Is macOS or iOS affected?

macOS and so presumably iOS, appear to properly resize the image after cropping has taken place. That would lead me to suspect that iOS and macOS devices are not vulnerable to a variant of apocalypse.

Twitter Post about acropalypse.

How to Restore Pixel to Factory Image

Posted on by
Reply

Restoring a Pixel to the factory image is a pretty straight forward operation if you are familiar with fastboot and adb. This guide assumes you have fastboot already installed and setup in your user path. If not you can refer to the following link for more information.

WARNING – THESE STEPS WILL DELETE ALL USER DATA OFF THE DEVICE.

https://developers.google.com/android/images#instructions

1. Download OTA Image

Go to the following link and download the Factory Image for your device

https://developers.google.com/android/images

Extract the file and then open a terminal or command prompt in that directory.

2. Boot up Pixel in recovery

You can do this with “adb reboot recovery” or with the volume key to boot into the Android boot menu.

3. Flash Image

On Windows you can flash the firmware with

flash-all.bat

Or on Linux

./flash-all.sh

Should take it a couple of minutes to complete.

Next we can lock bootloader with

fastboot flashing lock

You will need to confirm the lock on your phone.

Install Factory Android Image on Pixel 1

Posted on by
Reply

Note: Some of these notes were saved in a draft and going off of memory. May not be entirely complete.

Basic Steps

Basic steps to flash the factory Android image back onto a Google Pixel 1

  • Boot into the boot menu.
  • Select recovery
  • Select Apply update from ADB
  • Sideload the OTA image downloaded below
  • Reboot and resetup

Downloading OTA image

You can download the full OTA image from
https://developers.google.com/android/ota

Install GrapheneOS on Pixel 3

Posted on by
Reply

Installing GrapheneOS is pretty well documented on the website.

https://grapheneos.org/install

The following are mainly some of my notes. More detailed instructions are available at the above link.

OEM Unlock

Enable developer options

To enable the developer options on Android go to Settings -> About phone -> Tap on Build number until it says your a Developer.

Allow OEM unlocking

Settings -> System -> Advanced (Dropdown) -> Developer options

Allow OEM unlocking

Enable OEM unlcoking

Unlock Bootloader

Boot into the bootloader By

  • Powering down the phone
  • Start up while holding the volume down and power button

Run the following command from a computer with fastboot

sudo fastboot flashing unlock

The screen should change, hit the arrow keys to select Unlock the bootloader and confirm with the power button

Download and Verify Images

Download the proper factory image and files from https://grapheneos.org/releases

The name should say something device-factory-date.zip and device-factory-date.zip.sig
The .sig file is used to verify the image in the below section.

Verify the Keys

The commands to do this are from a Linux computer. There may be alternatives for Windows. You can technically skip this section.

Install signify

sudo apt install signify-openbsd -y

Download the public key from https://releases.grapheneos.org/factory.pub

Run and check that the key and the image match.
The following command assumes you are in the same directory as the image and factory.pub file.

sudo signify-openbsd -Cqp factory.pub -x blueline-factory-2020.03.04.16.zip.sig && echo verified

Install Factory (GrapheneOS) Image

Unzip the factory image and change directories into it

unzip blueline-factory-2020.03.04.16.zip && cd blueline-qq2a.200305.002/

Run the flash script to flash the image to your Pixel.

sudo ./flash-all.sh

Wait for it to flash, may take a long time.

NOTE: I ran into issues with the script as my version of fastboot was old. SEE PROBLEMS HEADING BELOW

Relock bootloader

Boot back up into the recovery menu and lock the boot loader with

fastboot flashing lock

Problems

  • I ran into issues running the flash-all.sh script. My version of fastboot was old. Ended up downloading a newer version and calling all the commands in the script manually.
  • Phone seemed to randomly time out or just hang when trying to run something over fastboot. Unplugging and plugging the phone back in and rerunning the command seemed to resolve the problem.

Unlock bootloader on Google Pixel (Sailfish)

Posted on by
Reply

Enable developer options By going to

Settings > System > About Phone > Developer options (Tap 7 times)

Enable OEM unlock in Developer settings

Reboot into recovery

If your one Verizon you may need to go through a couple extra steps to get the oem unlock to show up in the developer settings. More info here

Boot into twrp

fastboot img twrp.iso

Select the option in TWRP to sideload and sideload the Lineage iso

adb sideload lineage

Reboot install GAPPS

adb sideload gapps.zip

Install LineageOS on Google Pixel (Sailfish)

Posted on by
Reply

Just some notes on trying to install LineageOS on Google Pixel.

Basic install steps

  1. Unlock bootloader
  2. Boot into TWRP
  3. Wipe System and format
  4. Push LineageOS zip via adb (or other methods)
  5. Install LineageOS zip
  6. (Optional) Reboot back into TWRP and install Gapps
  7. Reboot (should boot into Lineage.  If not, try changing a/b)

Lineage 15 Official

Install guide is here.  Here are some extra notes.

Google Recovery Images (Helpful if you didn’t create a backup…)  https://developers.google.com/android/images

LineageOS Download link
https://download.lineageos.org/sailfish

Lineage OS 16 Unofficial

Helpful Links

https://forum.xda-developers.com/pixel-xl/development/rom-lineage-16-0-pixels-sailfish-marlin-t3830083

https://forum.xda-developers.com/showpost.php?p=78350286&postcount=579

Other Notes

ADB and fastboot should be in the following directory.  May need to install them if they are not.

cd %userprofile%\appdata\local\Android\Sdk\platform-tools

Boot TWRP image using fastboot.  Run from the bootloader menu, should automatically load.

fastboot boot twrp.img

Seems like there can be some issues with the Pixel and it swapping A/B on boot.  You can use TWRP to reboot into A or B, or set it with fastboot

fastboot --set-active=b

Apparently a/b devices will show up as no os installed in TWRP

TWRP says no OS installed, system boot loops from LineageOS

Backup and restore

You can use adb to create a backup of your phone.  Not sure what all it backs up.  Once restored pictures, background, and other files seem to be there.

Backup with

adb backup -apk -shared -all -f \Path\to\folder\backup_name.ab

Restore backup with 

adb restore \Path\to\folder\backup_name.ab