Technical Details (WIP)

Overview

An Android ROM is essentially made up of three parts as detailed below.

The Linux Kernel

The kernel is a necessary part of any operating system. It provides the essential core functionalities and allows the software to talk to the hardware.

Due to the extensive modifications made by device manufacturers and upstream hardware creators, the vanilla 'Mainline' kernel cannot be used. This means that most devices use kernels that are outdated and need to be manually maintained. Some kernels can be easily kept up to date by applying kernel version patches, but more often are modified so much that they need to instead have patches manually tweaked (backported) to work. Google, Qualcomm, and other manufacturers do actually do this work but they still need to be manually applied by device maintainers. Due to this most third party and even stock ROMs ship kernels that are littered with known vulnerabilities.

We however have created a program that eases tracking and applying of these patches massively. Once supplied with a sufficient amount of patches it can can be easily fed kernels and spit out scripts that will automatically apply all applicable patches. It is far from perfect, but with our current set of ~11,000 patches for ~2,550 CVEs it can typically apply between 30 and 300 patches to a kernel. The end result of this is that kernels are much more secure.This is referred to below as our 'CVE patcher'.

The kernel also sports many built-in security features, that most devices actually have disabled! We created a tool that automatically enables as many of these security features as possible. This is an easy way to have a noticeable increase in security with minimal effort. This is referred to below as 'hardenDefconfig()'.

Android Itself

Vendor Blobs

The nitty gritty

In order to reduce the need for maintenance of this page, minor tweaks and fixes are not documented; please check the source code for complete details about all the changes made.

Last updated: 2018-06-27

This needs to be updated since we've switched to using a proper vendor overlay for many changes

Workspace

  • Many unneeded repositories are removed from the repo manifests
  • The workspace is fully reset and synced before every full build
  • Upon starting a full build a thorough malware scan is performed using ClamAV

The Patcher

We do not maintain forks of repos to store modifications. Instead we keep all of our changes and scripts to apply them in a single repository. This has various benefits and downsides, but works best for our needs.

Steps performed when running patchWorkspace()
  • Our changes are periodically verified to ensure that they are properly applied and functioning
  • Before executing any scripts in the workspace a quick malware scan is performed using ClamAV
  • Any cherry picks are applied
  • Patch.sh is executed, this applies many .patch files to various repositories and also calls many functions that make further changes
    • enhanceLocation(), this hardens GPS configs
    • enableDexPreOpt(), this decreases boot time
    • enableForcedEncryption(), this ensures devices are encrypted by default
    • hardenDefconfig(), this enables many kernel security features
  • Defaults.sh is executed, this changes various default settings
  • Overclock.sh is executed, this applies overclocks to various kernels
  • Rebrand.sh is executed, this changes many LineageOS references over to DivestOS
  • Deblob.sh is executed, this removes many proprietary blob files from the following locations: device, kernel, vendor
  • Patch_CVE.sh is executed, this executes scripts created by the CVE patcher to automatically apply many CVE patches to all the kernels
  • Theme.sh (14.1 only) is executed, this changes the teal accents to orange ones

The Changes

We currently support LineageOS 11.0 (KitKat), 14.1 (Nougat), 15.1 (Oreo), 16.0 (Pie), and 17.1 (Q). We try our best to ensure parity between them, but 11.0 is missing a number of features and isn't recommended unless necessary.

Included Apps
  • Mull: A browser hardened against trackers by default. Replaces AOSP Browser/LineageOS Jelly
  • F-Droid: An app catalogue for FOSS apps
  • UnifiedNlp + Backends: Fused location provider that uses plugins to provide battery efficient location lookups.
  • FairEmail: A sane e-mail client
  • Offline Calendar: Allows creating calendars without an account
  • OpenCamera: An improved camera app. Replaces Camera2/Snap
  • Silence: An improved SMS app that allows for end-to-end encrypted messages between other Silence users. Replaces AOSP Messaging
  • Simple Gallery: An improved gallery app. Replaces AOSP Gallery
  • Vanilla: A lightweight and customizable music player. Replaces Eleven/Music