Project News

Occasional updates about DivestOS project.

February 12th 2021 Update

System Updates

  • February ASB builds were released between the 6th and 8th.
  • Over 30 CVE patches for 3.10 were added. import and update
  • There have been many new kernel CVE patches as usual.
  • [upstream] Updated to February ASB.
  • [upstream] Updated WebView to Chromium 88.0.4324.152, has many security fixes. commit

Roster Updates

  • starlte and star2lte have been dropped due to being broken.

App Updates

  • Hypatia was translated into German by Petra Mirelli. link
  • Mull saw 85.1.2 release.
  • Petra Mirelli also made an F-Droid banner graphic for Hypatia. link
  • F-Droid banner graphics were also created for Mull and Extirpater.
  • F-Droid screenshots were added for Mull, Hypatia, and Extirpater.

Website Updates

  • The 'recommended apps' page had some additions. commit
  • The 'screenshots' page had some updates. commit

January 26th 2021 Update

System Updates

  • January ASB builds were released between the 10th and 14th.
  • Rebuilds were published on the 24th thru 26th primarily for CVE patcher updates.
  • IMS/VoLTE was made working on supported devices. image
  • CNE was removed after being briefly included in the Dec/Jan builds. This removal breaks Wi-Fi calling, but is likely worth the security benefits.
  • The deblobber received tweaks to better handle more property edits. commit
  • Part two of the Debian/retired Linux CVE import was completed. Linux 3.0, 3.4, and 3.10 devices benefit the most from this, averaging between 10 and 90 added CVE patches. import and update
  • The exec-based spawning feature from GrapheneOS was disabled. We likely failed to port it over correctly and the result is many subtle breakages.
  • All versions now include the LineageOS 17.1 APN list for better cell carrier compatibility. commit
  • All versions were mostly patched against the old CVE-2019-2306. commit
  • umask is now explicitly set in the build scripts and many files had their permissions corrected. This fixes many subtle issues.
  • [upstream] Updated to January ASB.
  • [upstream] Updated WebView to Chromium 88.0.4324.93, has many security fixes. commit

Device Updates

  • mata has long-standing audio issues, Lineage team has been trying to fix them. Currently the earpiece speaker works on calls, but the loud speaker cannot have its volume adjusted.
  • The microphone issue on shamu was resolved, was caused by our removal of some voice recognition blobs (which are required for adspd bring-up). commit
  • bullhead now installs (and works) after removing the firmware images to workaround the missing proprietary additions needed for their flashing. related

Roster Updates

  • mako was re-enabled for 16.0 for users who do not want to re-partition their device.
  • flo was re-enabled for 15.1, for users who do not want to re-partition their device.
  • mako was re-enabled for 15.1 for testing purposes.
  • hammerhead was re-enabled for 15.1 due to Bluetooth issues in 16.0.
  • ether and shamu were re-enabled for 15.1 as they are the last versions with working IMS.
  • star2lte was added to 17.1 and was tested broken, likely due to its usage of stock vendor.img.

App Updates

  • Mull saw 84.1.2, 84.1.4 and 85.1.0 releases.
  • Hypatia had some commits forward-ported from the stable branch to the unfinished dev branch. git log
  • The PrebuiltApps repository saw a handful of app updates. git log

Website Updates

  • The device downloads page now supports serving multiple build versions per device. commit
  • A 'news' page was added for changelogs and project history. commit
  • A 'network connections' page was added for documenting connections made by the system. commit
  • Pages with tables were fixed up for mobile.
  • The 'recommended apps' page had some additions. commit
  • The 'messengers' page received some needed updates.
  • The credits and legal notices section of the 'about' page was updated.
  • Some typos were fixed. commit

Other Updates

December 16th 2020 Update

General Updates

  • November and December ASB builds have been released.
  • Mull is now on its 3rd Fenix based release, with the latest 84.1.0. Huge thanks to @relan for their build scripts. repo link
  • Hypatia has been updated to show database release/update dates in addition to a multi-threading fix.
  • Etar is now used for the calendar app across all versions.
  • A handful of more proprietary blob variants have been removed.
  • Vendor build fingerprints are now all replaced.
  • Lots of miscellaneous fixes and cleanup.
  • All 15.1 builds and higher are now fully dexpreopted, this allows for reduced memory usage and also decreased boot times on FDE devices.
  • TCP SACK is no longer disabled. SACK PANIC has now been patched on nearly all kernels supported. It has valuable bandwidth saving benefits.
  • There have been many new CVE patches, especially for 3.18 kernels.

Roster Updates

  • clark has been updated from 14.1 to 17.1 (potential modem issues). In-place upgrade has been tested to work, but your mileage may vary.
  • flo has been updated from 15.1 to 17.1, but requires re-partitioning.
  • cheeseburger/dumpling are compiling for 17.1, but not booting.
  • coral and flame 17.1 builds are available (untested).
  • rs988 and h990 17.1 builds are available (untested).
  • yellowstone 16.0 builds are available (untested).
  • h870 15.1 builds are available (untested).

Website Updates

  • Paragraphs now have links for easy saving/sharing.
  • Browser, recommended apps, and functionality tables have all been updated.
  • A handful of credit updates.
  • There is now a captcha required to access the device downloads page. It works without JavaScript, and has audio support.
  • There is a new vanity onion address divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion. The old address also still works. tool used
  • Most pages are now cached by the browser.
  • Most text based content served up will now be compressed either by deflate or brotli.

Other things

  • Old DivestOS patches have been used to remove AmbientSDK from Replicant. git tag
  • 3G is starting to be rapidly phased out, meaning calls with most carriers will not be possible unless IMS/VoLTE works on your device.
  • Heads up: LineageOS will most likely be dropping official 16.0 builds once 18.0/18.1 is released.

Future work

  • Test how much breakage the deblobber is causing to the IMS stack, or if that is upstream.
  • Finish importing this
  • Add back AOSP patching support to the CVE patcher. It is undecided how to best implement it.

October 10th 2020 Update

  • Most 3.4 devices should expect 40-100 more kernel CVE patches. git commit
  • Most 3.18 devices should expect 10-40 more kernel CVE patches. git commit
  • A handful of other kernel CVE patches are available for all other devices as per usual.
  • Lots of work has been done on making the CVE patcher easier for other projects to use. repo link
  • Mull is now severely out of date. There hasn't been the time to rebase it. It is strongly suggested to use Bromite or the new Fennec F-Droid until then. Bromite repo is already included in DivestOS F-Droid.
  • victara build failed last month due to recovery image being too large, however it is now once again available.
  • h850 and zenfone3 builds have been pulled as they were last updated in 2018 and 2019 respectively.
  • [upstream] Updated to October security bulletin.
  • [upstream] Updated WebView to Chromium 86.0.4240.75, has many security fixes.
  • 11/R builds will likely not be available until March with most devices hopefully being updated by May.

September 1st 2020 Update

  • The CVE patch database now has many more patches thanks to importing data from the Civil Infrastructure Platform CVE tracker.
  • The CVE patcher has had some minor fixes to improve output reliability.
  • There have been some GPS fixes for all branches, will be available in the next rebuilds.
  • Many new (untested) devices: pro1, enchilada, fajita, guacamole, guacamoleb, and broken beryllium.
  • Mull is likely on its last release due to ESR 68 branch being closed off.
  • Hypatia now supports an extra malware hash database from ESET.
  • Credits and screenshots on the website have been updated.

Historical Recap

  • 2021/02/03: Added many Linux 3.10 CVE patches thanks to @cygwin.
  • 2021/02/02: Hypatia was translated into German thanks to Petra Mirelli.
  • 2021/01/24: Many Linux CVE patches were imported as part two of the Debian retired tracker import.
  • 2020/12/24: The website gained support for serving multiple builds versions for a device.
  • 2020/12/21: VoLTE support was unbroken.
  • 2020/12/21: The umask for the build scripts was adjusted, fixing many small issues.
  • 2020/12/11: All non-LTS Linux CVE patches were dropped from the repository.
  • 2020/11/06: Added many missing Linux CVE patches missed by the CIP scripts from Debian retired tracker.
  • 2020/10/22: Mull was rebased onto Fenix, based on top of much effort from Relan.
  • 2020/10/15: A critical issue was identified and resolved that affected many devices. It caused slow performance and boot issues. Originally introduced 2018/10/01.
  • 2020/10/11: Initial inclusion of Etar for Calendar.
  • 2020/10/06: Added many Linux 3.4 CVE patches thanks to @haggertk.
  • 2020/09/18: Added many Linux 3.18 CVE patches from the AOSP 3.18 branch using the CIP scripts.
  • 2020/08/07: Initial import of Linux CVE patches from the Civil Infrastructure Platform tracker.
  • 2020/06/17: The start of providing GPG signatures for all builds.
  • 2020/06/14: The CodeAurora CVE patch list was created.
  • 2020/06/12: DivestOS is publicly released, initially on the F-Droid Forum.
  • 2020/06/07: The AOSP CVE patch list was created.
  • 2020/04/14: Initial support for building on top of LineageOS 17.1.
  • 2019/10/18: Automated kernel hardening via command line arguments was introduced.
  • 2019/10/04: Initial import of Linux CVE patches from the Google Project Zero tracker.
  • 2019/09/25: Most signing keys were switched to RSA-4096.
  • 2019/09/13: Per-device signing keys were introduced.
  • 2019/08/28: Delta OTA support was introduced.
  • 2019/08/27: Image signing was overhauled.
  • 2019/08/05: Initial inclusion of OpenCamera and Simple Gallery.
  • 2019/07/05: IPv6 privacy extensions were enabled on all devices.
  • 2019/06/02: First versions to stop sending the IMSI to the SUPL, discovered by @MSe
  • 2019/05/23: The .org was obtained.
  • 2019/05/13: Initial import of many Linux CVE patches from the Red Hat CVE tracker.
  • 2019/05/08: Initial work on restoring verified boot support in LineageOS began.
  • 2019/04/04: The GrapheneOS hardened memory allocator was included for use on supported devices.
  • 2019/03/12: PicoTTS was first patched to make it functional again.
  • 2019/03/04: Initial support for building on top of LineageOS 16.0.
  • 2019/03/04: Initial support for WireGuard was added.
  • 2019/02/02: The website is overhauled onto SBNR.
  • 2019/01/31: The Static But Not Really (SBNR) project is born out of the DivestOS website as a standalone minimal website framework.
  • 2018/12/18: Support for building on top of LineageOS 11.0 was restored and rebased.
  • 2018/10/20: Tor support was added to the OTA updater.
  • 2018/09/11: Filesystem discards were enabled on /data.
  • 2018/08/08: A-GPS MSA was disabled across all devices for increased privacy.
  • 2018/07/13: The vendor overlay was created for more easily applying select changes.
  • 2018/06/24: DivestOS finally received its own boot animation.
  • 2018/06/17: The provisioner repository was created for quickly installing recommended apps via F-Droid.
  • 2018/05/29: Initial import of Linux CVE patches from the Syzkaller tracker.
  • 2018/05/21: Analytics libraries were degraded by injecting AndroidManifest overrides.
  • 2018/05/13: The website is overhauled to use mini.css.
  • 2018/05/11: Malware scanning via ClamAV support was added to the build scripts.
  • 2018/04/28: Initial patches to support DNS66 loading defaults from system.
  • 2018/04/01: The proprietary LOSCoins malware was removed before ever being included in DivestOS.
  • 2018/03/13: The PrebuiltApps repo was created for including official/F-Droid builds of apps.
  • 2018/03/08: F-Droid signed-off on the inclusion of F-Droid into the system.
  • 2018/03/04: LineageOS signed-off on the re-branding being sufficient.
  • 2018/02/13: Initial support for building on top of LineageOS 15.1
  • 2018/01/04: Very basic Spectre mitigations were automatically applied to 3.10 kernels.
  • 2018/01/03: Very basic Spectre mitigations were applied to Mull.
  • 2017/12/25: Mull came into existence.
  • 2017/12/13: Veritas, now called Hypatia, was created as the first FOSS real-time malware scanner for Android systems.
  • 2017/12/09: Automatic kernel hardening via defconfig overrides was introduced.
  • 2017/11/21: Initial work on building Firefox for Android without blobs began.
  • 2017/11/11: A script for deblobbing separate /firmware partitions was created.
  • 2017/11/10: Initial automatic applying of Linux incrementals.
  • 2017/11/07: Creation of our initial original Linux CVE patch list.
  • 2017/11/02: Initial versioning of CVE patches to reduce breakage.
  • 2017/10/30: Utilizing the new CVE patcher, all devices were mitigated against KRACK.
  • 2017/10/29: Introduction of automatic kernel CVE patching for all devices.
  • 2017/10/29: The CVE downloader/patcher project was created.
  • 2017/10/14: The repositories were re-licensed to GPLv3.
  • 2017/09/10: Extirpater saw its initial port to Android.
  • 2017/08/01: A commit references a patch made four years earlier? Not too sure about this one.
  • 2017/06/15: Silence was included in the images.
  • 2017/06/04: Start of work on automated kernel CVE patching.
  • 2017/06/04: The project was re-branded into DivestOS.
  • 2017/05/30: OTA updates became supported.
  • 2017/02/25: The dedicated website was created.
  • 2017/01/25: The first revision of our automated deblobber was created.
  • 2017/01/04: Public images were discontinued again.
  • 2016/12/27: Work starts on rebasing onto LineageOS from CyanogenMod.
  • 2016/12/21: The monorepo for what is now called DivestOS was created.
  • 2016/07/10: Earliest recorded date of removing the proprietary AmbientSDK malware from our CyanogenMod 13.0 builds.
  • 2016/04/26: The recommended apps lists was released as a Gist on GitHub.
  • 2016/03/19: Public images return, supporting 8 devices.
  • 2016/03/03: Earliest recorded date of our UnifiedNLP backend, MergedWiFiNLP, utilizing simple CSV files.
  • 2016/01/01: Public images were discontinued.
  • 2015/11/20: First builds signed using proper release-keys.
  • 2015/11/19: A PaX enabled kernel is successfully booted on bacon, based on work and with help from Daniel Micay.
  • 2015/04/01: Our first CyanogenMod 12.1 based images made available.
  • 2014/12/31: The earliest recorded date of publicly offering custom images. They were based off of CyanogenMod 12 and available for five devices.