Frequently Asked Questions

Device Choice¶

Any guidelines for choosing a device?¶

Yes, please for your own sake avoid devices with the following:

  • Carrier branding
  • No access to fastboot and/or requiring to create an account
  • Less than 4GB of RAM
  • Less than 64GB of storage
  • Less than a 2000mAh battery
  • Released before 2017
  • Non-Qualcomm/Tensor SoC, eg. MediaTek/Exynos/Tegra/OMAP
  • Kernel older than 4.4

And for the best experience:

  • At least 6GB of RAM
  • At least 128GB of storage
  • At least an SD845 SoC
  • At least kernel 4.9, preferably newer.

What phone do you recommend?¶

If you can acquire/afford a Pixel 6/6a/7, go buy one and use GrapheneOS. Otherwise please see the list of "golden" devices.

What tablet do you recommend?¶

  • Google Pixel C (dragon)
  • Note: The below devices only have 2GB of RAM.
  • Google Nexus 9 (flounder)
  • Google Nexus 7 2013 (flox)

Can I send you my phone to install DivestOS for me?¶

Not at the moment, maybe in the future. You can however join the chat room and ask for install help.

A note on Google Pixels¶

Seemingly any Verizon, Telus, Rogers, or EE carrier variants cannot be bootloader unlocked. In general always avoid such.

Device Support¶

Are all devices supported equally?¶

No, some devices have much better support than others.

What is the difference between the different device statuses on the downloads page?¶

  • Tested Working: This is a device we've personally tested working.
  • Reported Working: A user has come forward and reported the device working.
  • Very Likely Working: The device has had many updater checks for it over a prolonged period.
  • Likely Working: A similar device in its series is at least `Very Likely Working`.
  • Mostly Working: The device is daily drivable, but some functionality may be unavailable such as the camera.
  • Untested: The device hasn't been tested, reported, or had any updater checks for it.
  • Broken: The device doesn't boot or has critical functionality impacted.

What devices support incremental/delta OTA updates?¶

Previously all devices were supported, however there were issues on many legacy devices failing to properly apply them leaving the install in an inconsistent state. Now only update_engine devices have incrementals generated.
As of 2023/06/02 that is: akari, akatsuki, alioth, Amber, apollon, aura, aurora, avicii, barbet, bluejay, blueline, bonito, bramble, cheetah, cheryl, coral, crosshatch, davinci, discovery, enchilada, fajita, flame, FP3, FP4, guacamole, guacamoleb, hotdog, hotdogb, instantnoodle, instantnoodlep, kebab, kirin, lemonade, lemonadep, lemonades, marlin, mata, mermaid, oriole, panther, pioneer, pro1, pro1x, raven, redfin, sailfish, sargo, sunfish, taimen, vayu, voyager, walleye, xz2c

What devices support Wi-Fi MAC randomization?¶

As of 2023/06/02: akari, akatsuki, alioth, Amber, apollon, aura, aurora, avicii, barbet, beryllium, bluejay, blueline, bonito, bramble, cheeseburger, cheetah, cheryl, coral, crosshatch, davinci, dipper, discovery, dumpling, enchilada, equuleus, fajita, flame, FP4, guacamole, guacamoleb, hotdog, hotdogb, instantnoodle, instantnoodlep, jasmine_sprout, kebab, kirin, lavender, lemonade, lemonadep, lemonades, lmi, mata, mermaid, oriole, panther, pioneer, platina, polaris, pro1, pro1x, raven, redfin, sargo, star2lte, starlte, sunfish, taimen, twolip, ursa, vayu, voyager, walleye, wayne, whyred, xz2c

What devices have CFI enabled kernels?¶

As of 2023/06/02:

  • CFI enabled: none yet
  • CFI and SCS enabled: blueline/crosshatch, bonito/sargo, coral/flame/sunfish, bramble/redfin/barbet, oriole/raven/bluejay, cheetah/panther, FP4, lemonade*
  • CFI supported, but not enabled: akari/akatsuki/aurora/xz2c, avicii, cheryl, beryllium/dipper/equuleus/polaris/ursa, davinci, FP3
  • CFI and SCS supported, but not enabled: alioth/apollon/lmi, guacamole*/hotdog*, vayu, instantnoodle*/kebab
  • CFI supported, but tested non-functional as is: enchilada/fajita

What memory allocator is used?¶

As of 2023/06/02:

  • jemalloc for 32-bit and 64-bit: all 14.1 and 15.1 devices
  • jemalloc for 32-bit and hardened_malloc for 64-bit: all 16.0 devices
  • scudo for 32-bit and hardened_malloc for 64-bit: all 17.1, 18.1, 19.1, and 20.0 devices
  • Exception: These devices use jemalloc for 32-bit instead of scudo: akari/akatsuki/aurora/xz2c, cheryl, klte, hlte

What devices are known to have faulty/insecure bootloaders?¶

These are vendor limitations and apply to any OS. This list must be assumed incomplete. As of 2023/06/02:

  • Can't be relocked (with a custom OS): OnePlus 7 and newer, Motorola, Samsung, Xiaomi
  • EDL access available: axolotl, FP2, FP3, bacon, oneplus2, oneplus3/t, cheeseburger/dumpling, enchilada/fajita, hotdog*/guacamole*, avicii, instantnoodle*/kebab/lemonades, lemonade*
  • Trusts test-keys for verified boot: enchilada/fajita, FP3, FP4
  • Qualcomm Secure Boot disabled: axolotl, FP2, FP3
  • Qualcomm Crashdump enabled: enchilada/fajita
  • Has alternate manufacture mode available (eg. LAF): mako, LG G2, LG G3, LG G4

Why does VoLTE not work on my device?¶

  • The device may lack the necessary configuration files for your carrier and will never work.
  • VoLTE may be default disabled for your line. You can check your carrier website or call them to activate it if so.
  • Your carrier may only activate VoLTE on "approved" devices.
  • Your carrier hasn't actually rolled out VoLTE yet.

What devices is VoLTE known to be working on assuming everything else is in-place?¶

As of 2023/06/02: bluejay, cheeseburger, fajita, mata, taimen, FP3
Can be assumed working: dumpling, enchilada, walleye

My device has LTE without VoLTE but my carrier has phased out 2G/3G calling, what can I do?¶

  • Acquire a newer device if possible.
  • Otherwise consider a VoIP service like JMP.chat.

Will you provide GSI images?¶

No, many of the features in DivestOS such as the deblobber and kernel patching/hardening are incompatible with how GSI images work.

Will you provide x86 images?¶

No, there is no support in AOSP for running on traditional desktop/laptop computers. It is recommended you instead use Fedora with our Brace package.

Can you support X device, that does have an official LineageOS port?¶

If there is enough demand, yes. The list of already requested devices is tracked here.

Can you support X device, that doesn't have an (un)official LineageOS port?¶

No.

Operating System¶

I found a bug! Where do I report it?¶

Please see the bug reporting page.

What devices do you test on before release?¶

  • 14.1: toroplus
  • 15.1: bullhead, dragon, flounder, hammerhead
  • 16.0: untested
  • 17.1: clark
  • 18.1: bacon, d852, flox, klte, mako, sailfish
  • 19.1: untested
  • 20.0: bluejay, fajita, cheeseburger, taimen, mata
  • Have an unused device? Please consider donating it for better test coverage.

Should I use Private DNS?¶

Generally yes you should, otherwise whatever DNS server is advertised by your carrier or Wi-Fi network will be used.
Do note however that Private DNS despite its name has limited privacy benefits (due to lack of ESNI/ECH), but does have security benefits and when combined with a DNSSEC enabled resolver will better ensure your DNS requests are not tampered with.

Should I use Private DNS when using a VPN/Tor?¶

  • If you want to use the built-in content blocker of DivestOS you must enable Private DNS.
  • If you use NetGuard/RethinkDNS/DNS66/Blokada or any VPN provider with a built-in content blocker you should disable Private DNS.
  • If you're using Tor via Orbot's VPN mode and want an app to access Onion Services you must disable Private DNS.
  • Otherwise you should consider what you value more: the content blocker or ensuring the VPN handles DNS.
  • In the case you do use Private DNS with Tor or a real VPN, the Private DNS host will not learn your true IP as the requests will be routed over the VPN slot.

So Google apps and other proprietary apps won't work at all?¶

Many apps will work just fine. Status of some apps is documented here

  • Google Maps does work on DivestOS.
  • Google apps that mandate Google login won't work.
  • Apps that hard depend on Play Services won't work.
  • Apps that depend on SafetyNet won't work.
  • Apps that depend on DRM won't work.
  • Apps that use Play Asset Delivery won't work.
  • Apps that depend on FCM/GCM without a fallback won't have notifications.
  • Apps that Aurora Store labels as "GSF dependent" may actually work just fine.
  • Android Auto won't work.
  • Some games will be broken by the hardened memory allocator, pick a 32-bit device in the Aurora `spoof manager` instead.
  • While not for DivestOS, there is a large list of banking apps and their compatibility status regarding SafetyNet & Play Services documented here.

If you have an app that isn't working and doesn't contain an error message covering the above (SafetyNet/DRM/Play), try:

  • Allowing self debugging: Settings > Security > Enable native code debugging > checked
  • Disabling the content blocker: Settings > Security > Disable DNS content blocker > checked (if this fixes it please report so it can be excluded from list)
  • Joining the chat and asking for help.

There are also alternative ways to use an incompatible app:

  • See if there is an official (progressive) web app version of the app.
  • Some services have phone numbers you can call to interact with. (eg. Uber)
  • Try to find an official version of the app on the Amazon or Huawei app store. These are unlikely to have any Google dependencies. Be careful as both stores have many fake/impostor apps.

What Bluetooth audio codecs are available (if supported by device)?¶

  • SBC is available on all versions.
  • SBC-XQ is available on select versions, see below.
  • AAC, aptX, and LDAC are available on 15.1 and higher.
  • LC3 (LE Audio) is available on 20.0 and higher.
  • aptX is available on all 20.0 devices after the March 2023 update as it was open-sourced.

Is Bluetooth SBC-XQ (dual channel SBC) available?¶

  • 14.1 has the patches included, but it can only be enabled globally with root which is not supported.
  • 15.1, 16.0, and 18.1 have it in the per-device Bluetooth settings menu.
  • 17.1 and 19.1 had incomplete patches made, and not merged.
  • 20.0 has not yet received a port of it.

Why is F-Droid used?¶

While F-Droid currently has _some_ _major_ _issues_, it is the largest repository of FOSS apps around with some rails in place along with an active community.

Should I use an alternative F-Droid client?¶

While the official F-Droid client currently has issues as linked above, it is not recommend to use an alternative client due to how DivestOS utilizes its own F-Droid repos for updates. If you do want to use one anyway, you MUST do the following:

Should I use the 'XG only' network mode option (if available)?¶

2G has no encryption, 3G has decent encryption, and LTE has end-to-end encryption (simplified, 3G and LTE still have many leaks). Malicious cell interception devices capable of intercepting 3G/LTE are very expensive kits, so the lesser ones downgrade you to 2G where they can work. These network modes offer enhanced protection against interception by pinning to a mode. As always there are various other ways for your device to be compromised or to have your data intercepted.

Which to use? If your device has VoLTE available, you should choose 'LTE only'. If it has LTE but you can make calls over 3G, choose 'LTE/3G only'. If it does not have LTE, but can make calls over 3G, choose '3G only'. If you can't make calls over 3G, you will sadly have to use the regular LTE or 3G modes (which happily downgrade to 2G).

Why haven't you completely changed the default DNS servers?¶

Currently Quad9 is used for DNS fallback and for tethering. Switching it by default for cell would break VoLTE, SMS, MMS, and Visual Voicemail. And switching it for Wi-Fi could potentially break access to some LAN devices.

Why isn't DivestOS based on X operating system?¶

LineageOS has superb device compatibility across the board, along with a strict set of baseline requirements. Our build scripts are mostly universal so adding an alternate base if needed is easily doable.

Why did you only partially remove VoLTE?¶

Many carriers are phasing out their 2G/3G cell towers. Soon it will only be possible to make calls using VoLTE.

Why did you remove the weather providers?¶

Because they all transmit your location on a somewhat fixed schedule over HTTP.

Will you add that one theme engine?¶

No.

Why isn't root included/supported?¶

DivestOS does not support or encourage the use of root or runtime modification frameworks.
Such tools will break the following functions:

  • Bootloader locking on verified boot capable devices, preventing the system from booting.
  • Verified boot on capable devices, preventing the system from booting.
  • Incremental delta OTA updates, will fail to flash.
  • You will not be able to use the DivestOS recovery. DivestOS recovery only flashes same-signed ZIPs.
  • Lineage add-on backuptool is removed from DivestOS, you will have to reflash your changes every update.
  • Will break the trust model that AOSP employs and reduce the integrity of the system.
Here are some common use cases of rooting and alternatives if available:
  • Network Restriction: DivestOS already lets you restrict network for each app by connection type (cellular/Wi-Fi/VPN), when in the background, and optionally completely revoke NETWORK permission.
  • Ad/Tracker Blocking: DivestOS includes a tailored HOSTS file by default for such blocking. The user can further choose to use an alternative DNS or use a local VPN app such as DNS66 or NetGuard.
  • Permission Control: Modern AOSP provides far more control of permissions than older versions.
  • Data Spoofing: You can run apps in a work profile via Shelter/Insular or in a separate user profile to minimize data available to apps when granted related permissions.
  • Backup: DivestOS includes SeedVault on Q/R/S/T for backing up apps and their data to Nextcloud or USB OTG.
  • Overclocking: Most mobile system-on-chips have their RAM stacked above the processor. Heat kills. Overclocking can and will reduce the life-span of your device.
  • App Removal: Modern AOSP already lets you strictly disable most system installed apps. Furthermore DivestOS already includes far fewer system apps compared to most other operating systems.
  • Battery Saving: Modern AOSP lets you prohibit apps from running in the background completely and has more advanced idle battery saving features.
  • Battery Analysis: You can use Battery Historian via ADB for extremely detailed battery usage reports.

Freedom¶

Why are you hosting on GitHub.com and GitLab.com if they are proprietary?¶

Because a lot of people have existing accounts on them which reduces the barrier to entry for contributing. You are otherwise free to e-mail patches to us if you prefer.

Why are you wasting your time with Android? It's clear that Google has been slowly killing AOSP every release!¶

Android is a legitimately fantastic operating system and no other mobile platform has as many open source apps as it does. F-Droid as of February 2023 has over 4,000 FOSS apps!

Other Things¶

Where can I talk to other users?¶

Please see the community page.

How do you say DivestOS?¶

  • [die-vEst OH ES]
  • /daɪˈvÉ›stËŒoÊŠ ˈɛs/

What VPN/email/boat rental services do you recommend?¶

¯\_(ツ)_/¯

Why does DivestOS not use the word "ROM" anywhere on its website?¶

DivestOS is an aftermarket operating system with a strict set of standards it strives to achieve.
Not a poorly documented, code over the wall, haphazardly maintained "ROM".

What are some misconceptions I should be aware of?¶

  • If you encounter a serious issue, wiping is almost never the solution.
  • In-place upgrades are supported whenever possible.
  • Wiping cache does absolutely nothing.
  • You can still install updates when the bootloader is locked.
  • `fastboot update xyz.zip` does not replace your bootloader.
  • UnifiedNlp is not required for apps to acquire location.
  • Network location providers, such as Play and UnifiedNlp, do not make GPS acquire a lock quicker.

I want to sell devices with DivestOS preloaded, what should I know?¶

Selling devices with official builds of DivestOS installed is OKAY and within the license. Some preferred suggestions:

  • Handle the sale in good faith.
  • Do not market DivestOS as a magic bullet of privacy and/or security.
  • Verify the GPG signature and checksums of the builds you download/install.
  • Use Extirpater + factory reset to ensure no previous user data remains.
  • Ensure the device firmware is up to date before flashing.
  • Use the DivestOS recovery if supported.
  • Do not modify any system or firmware partitions such as /system, /vendor, or /boot.
  • Lock the bootloader if supported.
  • If the device requires a token or keyfile to unlock the bootloader, provide it to the user.
  • Leave it at the setup screen.
  • Leave the default wallpaper.
  • If you preload apps only source from the existing F-Droid repositories.

If you are not using official builds of DivestOS:

  • Make it clear to your users that it is unofficial.
  • Use the branding variables in the scripts to rebrand it.
  • You must make your sources available to your users as per the original repositories' respective licenses. Compliance is mandatory!
  • Consider upstreaming any appropriate changes.