Skip to content

Instantly share code, notes, and snippets.

@jonathanschilling

jonathanschilling/GrapheneOS_Pixel8Pro.md

Last active April 6, 2024 10:30
Show Gist options
  • Save jonathanschilling/285a26cdb2b3cb452e9b79d51f839cb7 to your computer and use it in GitHub Desktop.
Save jonathanschilling/285a26cdb2b3cb452e9b79d51f839cb7 to your computer and use it in GitHub Desktop.
Download ZIP
Installing GrapheneOS on a Pixel 8 Pro
Raw
GrapheneOS_Pixel8Pro.md

Installing GrapheneOS on a Pixel 8 Pro (husky)

First try: CLI

prerequisites

  • instructions: https://grapheneos.org/install/cli
  • using Arch Linux (officially supported by CLI installer method) on a Lenovo W510
  • updated device: Settings -> System -> Software updates -> System update -> Check for update -> "Your system is up to date"

enable OEM lunlocking

  • worked according to instructions

install fastboot

  • sudo pacman -S android-tools just worked

  • fastboot --version prints:

    fastboot version 34.0.5-android-tools
Installed as /usr/bin/fastboot

Flashing as non-root

  • sudo pacman -S android-udev just worked

fwupd bug

  • pacman -Ss fwupd: 1.9.16-1 would be the latest version; was not installed on my system - can be ignored IMHO

Booting into the bootloader interface

  • Restart -> hold volume-down button -> boots into bootloader

Connecting the device

  • Connect USB-C between laptop and phone

Unlocking the bootloader

  • fastboot flashing unlock just worked

    OKAY [  0.047s]
Finished. Total time: 0.047s

  • phone now shows option to unlock bootloader

  • press volume-down once; option at power button changes to "Unlock the bootloader"

  • press power button to confirm to unlock bootloader

  • phone returns to initial bootloader screen

Obtaining openssh

  • sudo pacman -S openssh was not needed, since 9.7p1-1 was already installed

Obtaining factory images

  • download factory images public key: curl -O https://releases.grapheneos.org/allowed_signers

  • contents:

    contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE

    --> matches the expected key that was listed in the instructions

  • download the factory image and signature:

    • curl -O https://releases.grapheneos.org/husky-factory-2024040300.zip (ca 1.5GB)
    • curl -O https://releases.grapheneos.org/husky-factory-2024040300.zip.sig

  • verify the image:

    • ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s husky-factory-2024040300.zip.sig < husky-factory-2024040300.zip outputs:

      Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256:AhgHif0mei+9aNyKLfMZBh2yptHdw/aN7Tlh/j2eFwM

      --> all good

Flashing factory images

  • extract the factory images:

    • bsdtar xvf husky-factory-2024040300.zip prints:

      x husky-factory-2024040300/
x husky-factory-2024040300/image-husky-2024040300.zip
x husky-factory-2024040300/bootloader-husky-ripcurrent-14.4-11403750.img
x husky-factory-2024040300/radio-husky-g5300i-231218-240202-b-11396366.img
x husky-factory-2024040300/avb_pkmd.bin
x husky-factory-2024040300/flash-all.sh
x husky-factory-2024040300/flash-all.bat

      --> all good

  • cd husky-factory-2024040300
  • flash the image:
    • a quick read though flash-all.sh:
      • big disclaimer to not mess around in this script
      • check that fastboot is available
      • check that recent enough version of fastboot is being used
      • check if image that is tried to be flashed matches device ID queried using fastboot
      • flash bootloader twice ???
      • flash radio (GSM etc modem ?)
      • erase and flash avb_custom_key ?
      • ... ?
      • update firmware image: fastboot -w --skip-reboot update image-husky-2024040300.zip
    • --> seems ok to me for now?
    • thus now executing ./flash-all.sh (12:01am - 12:04am) -- ca. 3 minutes in total

Locking the bootloader

  • fastboot flashing lock just works
  • need to change selection using volume-down button to switch to option "Lock the bootloader" for power button
  • confirm by pressing power button

Reboot / Start

  • after bootloader has re-booted, press power button to confirm "Start" option
  • yellow warning sign on non-Google firmware briefly shows up
    • was not fast enough on first try to read it
    • would have needed to press power button to pause
  • boot screen: Graphene OS :-)
    • initial setup offers to disable OEM unlocking -> keep bock ticked

Disabling OEM unlocking

  • already done (verified by entering developer mode again -> OEM unlocking was actually disabled again)
  • disable developer mode again (need to restart device)

Verified boot key hash

  • this time, pressed power button in time to be able to verify boot key hash
  • matches expected value from website: 896db2d09d84e1d6bb747002b8a114950b946e5825772a9d48ba7eb01d118c1c
  • pressed power button to resume boot

All done at this point AFAIK, now need to setup phone for actual use.

Post-Mortem

  • The instructions were in a little weird order: I ended up downloading the new firmware image while the device was in bootloader mode
    • probably it would be better to first install all required packages
    • and verify that they are suitable for use
    • then download all data that will be needed and verify its integrity
    • and only then start working with the phone itself
  • BUT: The instructions worked out-of-the-box on the first try and were unambiguous enough to be followed without hickups. Great job, Graphene OS team!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment