Faq - DivestOS Mobile

Frequently Asked Questions

Device Choice¶

Any guidelines for choosing a device?¶

Yes, please for your own sake avoid devices with the following:

Carrier branding
No access to fastboot and/or requiring to create an account
Less than 6GB of RAM
Less than 64GB of storage
Less than a 2000mAh battery
Released before 2017
Non-Qualcomm/Tensor SoC, eg. MediaTek/Exynos/Tegra/OMAP
Kernel older than 4.4

And for the best experience:

At least 8GB of RAM
At least 128GB of storage
At least an SD845 SoC
At least kernel 4.9, preferably newer.

What phone do you recommend?¶

The Pixel 6/6a/7/7a series. 6a is an excellent value on sale and it will receive support from Google until July 2027. Otherwise please see the list of "golden" devices.

What tablet do you recommend?¶

Note: None of these devices meet the above requirements.

Google Pixel C (dragon)
Google Nexus 9 (flounder)
Google Nexus 7 2013 (flox)

Can I send you my phone to install DivestOS for me?¶

No. You can however join the chat room and ask for install help.

A note on Google Pixels¶

Seemingly any Verizon, Telus, Rogers, or EE carrier variants cannot be bootloader unlocked. In general always avoid such.

Device Support¶

Are all devices supported equally?¶

No, some devices have much better support than others.

What is the difference between the different device statuses on the downloads page?¶

Tested Working: This is a device we've personally tested working.
Reported Working: A user has come forward and reported the device working.
Very Likely Working: The device has had many updater checks for it over a prolonged period.
Likely Working: A similar device in its series is at least `Very Likely Working`.
Mostly Working: The device is daily drivable, but some functionality may be unavailable such as the camera.
Untested: The device hasn't been tested, reported, or had any updater checks for it.
Broken: The device doesn't boot or has critical functionality impacted.

What devices support incremental/delta OTA updates?¶

Previously all devices were supported, however there were issues on many legacy devices failing to properly apply them leaving the install in an inconsistent state. Now only update_engine devices have incrementals generated.
As of 2023/11/01 that is: akari, akatsuki, alioth, Amber, apollon, aura, aurora, avicii, barbet, bluejay, blueline, bonito, bramble, cheetah, cheryl, coral, crosshatch, davinci, discovery, enchilada, fajita, flame, FP3, FP4, guacamole, guacamoleb, hotdog, hotdogb, instantnoodle, instantnoodlep, kebab, kirin, lemonade, lemonadep, lemonades, marlin, mata, mermaid, oriole, panther, pioneer, pro1, pro1x, raven, redfin, sailfish, sargo, sunfish, taimen, vayu, voyager, walleye, xz2c

What devices support Wi-Fi MAC randomization?¶

As of 2023/11/01: akari, akatsuki, alioth, Amber, apollon, aura, aurora, avicii, barbet, beryllium, bluejay, blueline, bonito, bramble, cheeseburger, cheetah, cheryl, coral, crosshatch, davinci, dipper, discovery, dumpling, enchilada, equuleus, fajita, flame, FP4, guacamole, guacamoleb, hotdog, hotdogb, instantnoodle, instantnoodlep, jasmine_sprout, kebab, kirin, lavender, lemonade, lemonadep, lemonades, lmi, mata, mermaid, oriole, panther, pioneer, platina, polaris, pro1, pro1x, raven, redfin, sargo, star2lte, starlte, sunfish, taimen, twolip, ursa, vayu, voyager, walleye, wayne, whyred, xz2c

What devices have CFI enabled kernels?¶

As of 2023/11/01:

CFI enabled: none yet
CFI and SCS enabled: blueline/crosshatch, bonito/sargo, coral/flame/sunfish, bramble/redfin/barbet, oriole/raven/bluejay, cheetah/panther, FP4, lemonade*
CFI supported, but not enabled: akari/akatsuki/aurora/xz2c, avicii, cheryl, beryllium/dipper/equuleus/polaris/ursa, davinci, FP3
CFI and SCS supported, but not enabled: alioth/apollon/lmi, guacamole*/hotdog*, vayu, instantnoodle*/kebab
CFI supported, but tested non-functional as is: enchilada/fajita

What memory allocator is used?¶

As of 2023/11/01:

jemalloc for 32-bit and 64-bit: all 14.1 and 15.1 devices
jemalloc for 32-bit and hardened_malloc for 64-bit: all 16.0 and 17.1 devices
scudo for 32-bit and hardened_malloc for 64-bit: all 18.1, 19.1, and 20.0 devices
Exception: These devices use jemalloc for 32-bit instead of scudo: akari/akatsuki/aurora/xz2c, cheryl, klte, hlte

Why does DivestOS enable low_ram mode when Google only recommends it for <=2GB devices?¶

The OnePlus 3 released with Android 6.0 and had 6GB of RAM. Running Android 11 on a device that released with Android 4.2 and 2GB of RAM is much more usable when the system isn't hogging all the resources.

What devices have low_ram mode set?¶

As of 2023/11/01

14.1: <2GB
15.1: <2GB
16.0: <2GB
17.1: <3GB
18.1: <3GB
19.1: <4GB
20.0: <4GB

What devices are known to have faulty/insecure bootloaders?¶

These are vendor limitations and apply to any OS. This list must be assumed incomplete. As of 2023/11/01:

Trusts test-keys for verified boot:
- Impact: Combined with the ability to write to system partitions this may allow an attacker to write data that will pass verified boot checks.
- Affected Devices: enchilada/fajita, FP3, FP4
Can't be relocked (with a custom OS):
- Impact: When unlocked, an attacker can trivally flash partitions without risk of erasing user-data. Additionally verified boot is only enforcing when locked. Verified boot raises the barrier of local attacks and helps mitigate persistence of remote attacks.
- Affected Devices: OnePlus 7 and newer, Motorola, Samsung, Xiaomi
EDL access available:
- Impact: Allows replacing partitions at will. Can even allow dumping entire RAM (including secrets) and/or partition (including userdata) contents.
- Affected Devices: axolotl, FP2, FP3, bacon, oneplus2, oneplus3/t, cheeseburger/dumpling, enchilada/fajita, hotdog*/guacamole*, avicii, instantnoodle*/kebab/lemonades, lemonade*
Qualcomm Crashdump enabled:
- Impact: When combined with EDL access this allows dumping complete RAM contents at runtime without any restrictions.
- Affected Devices: enchilada/fajita
Qualcomm Secure Boot disabled:
- Impact: This allows replacing ALL partitions, including the bootloader itself, when combined with EDL access. This directly undermines all other signature checks and verified boot.
- Affected Devices: axolotl, FP2, FP3
Has alternate manufacture mode available (eg. LAF):
- Impact: Allows replacing partitions at will.
- Affected Devices: mako, LG G2, LG G3, LG G4

What devices have eSIM support?¶

As of 2023/11/01: Pixel 4 series and newer, along with the Fairphone 4

Why does VoLTE not work on my device?¶

VoLTE does not work on any Samsung or LGE devices under aftermarket systems.
The device may lack the necessary configuration files for your carrier and will never work.
VoLTE may be default disabled for your line. You can check your carrier website or call them to activate it if so.
Your carrier may only activate VoLTE on "approved" devices.
Your carrier hasn't actually rolled out VoLTE yet.

What devices is VoLTE known to be working on assuming everything else is in-place?¶

As of 2023/11/01: bluejay, flame, cheeseburger, fajita, mata, taimen, FP3
Can be assumed working: coral, dumpling, enchilada, walleye

My device has LTE without VoLTE but my carrier has phased out 2G/3G calling, what can I do?¶

Acquire a newer device if possible.
Otherwise consider a VoIP service like JMP.chat.

Will you provide GSI images?¶

No, many of the features in DivestOS such as the deblobber and kernel patching/hardening are incompatible with how GSI images work.

Will you provide x86 images?¶

No, there is no support in AOSP for running on traditional desktop/laptop computers. It is recommended you instead use Fedora with our Brace package.

Can you support X device, that does have an official LineageOS port?¶

If there is enough demand, yes. The list of already requested devices is tracked here.

Can you support X device, that doesn't have an (un)official LineageOS port?¶

No.

Operating System¶

I found a bug! Where do I report it?¶

Please see the bug reporting page.

How is location handled?¶

DivestOS takes some more extreme care with location compared to most other systems and doesn't work how most people expect.

GPS is the only provider of location.
GPS should lock within 2 minutes when outdoors and within 10 minutes indoors. Maximum GPS TTFF is 12.5 minutes due to their orbit and transmission rate.
Tablets or other devices without GPS support have no mechanism to obtain location.
Network (cell tower, Wi-Fi, Bluetooth beacon) based location providers such as Google Play Services, Qualcomm IZat, and microG/UnifiedNlp are not supported.
Enabling the location provider in microG/UnifiedNlp will not do anything as it does not have permission to be a system location provider.
The primary reason for not supporting network location providers is that they effectively divulge your location to third-parties (eg. Google/Qualcomm/Apple/Mozilla) every time they are used. The alternative offline databases are too small to be realistically effective.
On Tensor devices both PSDS and SUPL can be used to speedup GPS TTFF. It is recommended to disable SUPL on these devices.
On newer Qualcomm devices (ones that'd typically use xtra-daemon) SUPL is the only mechanism to obtain the almanac to speedup GPS TTFF. PSDS is not supported. It is not recommended to disable SUPL on these devices as it will cause very long lock times.
On older Qualcomm devices (ones that'd typically use libloc) PSDS may work in addition to SUPL to speedup GPS TTFF. It is recommended to disable SUPL on these devices.
On 20.0 and higher you can disable PSDS and SUPL in Settings > Location > Use assisted GPS. This setting will still allow them during emergency calls.
On 17.1 and higher you can disable SUPL in Settings > Location > Force disable SUPL. This setting will not allow it even during emergency calls.
On pre 17.1 you can disable SUPL by removing the `supl` APN type from your chosen APN preset.
DivestOS furthermore disables use of SUPL MSA as well as LPP and LPPe.
There is a more technical explanation of this here.

What is the benefit of a security focused memory allocator?¶

The primary possible benefits of security focused memory allocators are the ability to make attacks harder through out of line metadata, greater randomness, double free detection, use after free detection, invalid free detection, 1-byte buffer over or underflow detection, and some write after free detection, as well as zero on free to reduce data lifetime. Not all memory allocators provide these features. There is a comparison table here.

How do I backup my system?¶

On 17.1 and higher Seedvault is included which should be used to backup user apps that allow it. Using Seedvault to a flash drive over OTG is strongly recommended, but be sure to plug it in occasionally to actually ensure recent backups are available.
Note: Seedvault can be unreliable, doesn't support work profiles or secondary users, and the file backup option will squash directory hirearchies.
Many apps have their own backup function, you should use this if Seedvault is unable to backup the app, as a backup backup, or if you're on a version without Seedvault.
From here you can copy all of internal storage (documents, downloads, pictures/videos) which should also include the Seedvault folder (if you didn't use OTG) along with any app specific exports. You can either use USB MTP or with some setup you can use Syncthing to a remote computer.

What apps have their own backup mechanism?¶

The following list is largely user contributed, nor do we necessarily endorse or recommend any of the following apps.
Also note some apps only prompt the share menu which can't actually directly save to a file, you can use this app in that case.
See the full list here!

What devices do you test on before release?¶

14.1: thor, toroplus, athene
15.1: bullhead, dragon, flounder
16.0: untested
17.1: clark
18.1: bacon, d852, flox, m8, klte, hammerhead, mako, sailfish
19.1: untested
20.0: bluejay, flame, fajita, cheeseburger, taimen, mata
Have an unused device? Please consider donating it for better test coverage.

Are OTA updates available?¶

All devices have OTA updates via the Updater app accessible via Settings.

Do I need to install every update the Updater shows?¶

No, just the latest one.

Why does Updater show this tiny update?¶

That is an incremental OTA, you should prefer them over the full updates when available.

What are incremental/delta OTA updates?¶

They are OTA updates that only contain the files changed from the last update, which makes them much smaller to download.

How long do OTA updates take to install?¶

Devices that use update_engine (they install while in the Updater app) should take 10-20 minutes to install, although may take longer if using other apps, and will pause entirely if the screen is off. Devices that reboot to the recovery to install should be less than 5 minutes, but may be up to 10 minutes on very old devices.

What internal databases are updated?¶

AOSP has many internal databases that are often neglected on older versions, however we provide updates for them as follows.

14.1+: LineageOS contributors cloud from latest LineageOS version. Provides accurate credits viewable in Settings.
14.1+: Timezone Databases from latest available. Provides accurate time/offsets for different regions.
14.1+: Certificate Authority store from AOSP master branch. Improves TLS compatibility and integrity.
14.1+: APN list from latest LineageOS version. Improves carrier compatibility.
14.1+: MMS configs from Google Messenger. Improves carrier compatibility.
15.1+: Visual VoiceMail configs from Google Dialer. Improves carrier compatibility.
~~16.0+: carrier_list from AOSP master branch. Improves carrier compatibility.~~ [disabled due to breakage]
~~17.1+: CarrierConfig from AOSP master branch. Improves carrier compatibility.~~ [disabled due to breakage]
~~On supported kernels: Wi-Fi regulations database. Improves Wi-Fi compatibility.~~ [disabled due to breakage]

What Bluetooth audio codecs are available (if supported by device)?¶

SBC is available on all versions.
SBC-XQ is available on select versions, see below.
AAC, aptX, and LDAC are available on 15.1 and higher.
LC3 (LE Audio) is available on 20.0 and higher.
aptX is available on all 20.0 devices after the March 2023 update as it was open-sourced.

Is Bluetooth SBC-XQ (dual channel SBC) available?¶

14.1 has the patches included, but it can only be enabled globally with root which is not supported.
15.1, 16.0, and 18.1 have it in the per-device Bluetooth settings menu.
17.1 and 19.1 had incomplete patches made, and not merged.
20.0 has not yet received a port of it.

What changes does low_ram mode incur?¶

On 14.1 through 16.0 jemalloc is set to svelte mode.
Picture in picture support is disabled.
Multi-window support is disabled.
Split-screen support is disabled.
Live wallpaper support is disabled.
Secondary displays are mirrored instead of extended.
The auto-rotate hint is disabled.
The GPU will be avoided for certain tasks.
Various graphics throughout the system will be rendered at a lower resolution.
Some animations and effects are disabled.
File previews are disabled in the Files app and file picker.

Background apps keep dying! How can I reduce memory usage?¶

Uninstall apps you rarely use.
Reduce the number of background apps running.
Close apps that you aren't using by swiping them away in the app switcher.
Use the built-in network controls in favor of VPN-based firewall apps.
Use the built-in content blocker or `Private DNS` with an adblocking DNS resolver instead of a VPN-based adblock app.
Use the built-in home launcher instead of a third-party launcher. On modern Android the app switcher/overview is handled by the launcher (Quickstep) and most replacement launchers do not actually implement this, which results in both launchers always running.
Try to consolidate messaging apps, as an example Conversations can talk XMPP, IRC via Biboumi, Matrix via Bifrost, and PSTN via jmp.chat. Conversations can even be a push notification provider for apps supporting UnifiedPush, which can let them pause entirely.
Use lighter or more efficient apps such as:
- Organic Maps instead of OsmAnd, the former uses pre-rendered bitmaps vs the latter's rendered vector maps
- Wireguard instead of OpenVPN in VPN apps
If you use a work profile, pause it when not needed.
Work profile apps like Shelter and Insular have options to "freeze" individual apps entirely, use it for infrequently used apps.
Main profile apps can also be "frozen" via apps like SuperFreezZ or Hail, but may cause issues.
If you use secondary user profiles, use the `End Session` button to completely stop them when not needed.
At the direct cost of security you can consider installing 32-bit variants of apps.
Disable the `secure app spawning` feature in Settings > Security.
Try to reboot your device once every three days to workaround any latent memory leaks.
Do not bother with "booster" or "cleaner" apps.
In your web browser, close tabs that are no longer needed.
In your web browser, only keep extensions that you really need. We only recommend uBlock Origin.
If you use uBlock Origin, consider enabling the `Ignore generic cosmetic filters` option.
Use the right tool for the job. Web browsers are great, but sometimes using a dedicated app really is more efficient, such as:
- using a unit/currency converter app instead of searching it.
- watching YouTube in NewPipe instead of their website.
Use an appropriate resolution wallpaper. While that 8K wallpaper may be breathtaking, it only wastes resources when your screen is a fraction of the resolution. Here is an all black smallest possible PNG for this.
Prefer lower resolution video if available. Watching 2K/4K/8K requires more memory for processing and buffering which is just a waste when your screen is only five inches.

How do I add an eSIM? (if supported by device)¶

Settings > Security > Enable eUICC management > enabled.
Reboot your device.
You should now have an app 'OpenEUICC' in your launcher.
Note: OpenEUICC buttons may not be visible if the system dark mode is enabled.
If it says 'No eUICC found', then you need to tap the top right 3dot and enable "Dual SIM", then reboot.
Tap the add button.
If you received a QR code, then tap the barcode scanner button in top right, and scan it.
If you received only a server and activation code, input it into the respective fields, and tap the checkbox to continue.
After a few moments your eSIM should be provisioned and start working.

How do I allow TalkBack on DivestOS 20.0?¶

Settings > Accessibility > TalkBack > Try to open > Shows "Restricted Setting"
Settings > Apps > See all apps > com.android.talkback > 3dot in top right > Allow restricted settings
Settings > Accessibility > TalkBack > Use TalkBack

How do I allow this restricted setting thing?¶

Depending on the installation source, apps may have some special settings restricted. To allow: Settings > Apps > Special App Access > [the setting] > [the app] > confirm that it is greyed out > tap the icon there > then on that app info screen tap the 3dot in top right > Allow restricted settings.

Should I use an alternative F-Droid client?¶

It is not recommend to use an alternative client due to how DivestOS utilizes its own F-Droid repos for updates. Additionally most alternative clients lack mirror support for downloads, incremental index database downloads, or any metadata localization support. If you do want to use one anyway, you MUST do the following:

Add the `DivestOS Official` repo to receive Mull and Mulch (WebView) updates: https://divestos.org/fdroid/official

Should I use the 'XG only' network mode option (if available)?¶

2G has no encryption, 3G has decent encryption, and LTE has end-to-end encryption (simplified, 3G and LTE still have many leaks). Malicious cell interception devices capable of intercepting 3G/LTE are very expensive kits, so the lesser ones downgrade you to 2G where they can work. These network modes offer enhanced protection against interception by pinning to a mode. As always there are various other ways for your device to be compromised or to have your data intercepted.

Which to use? If your device has VoLTE available, you should choose 'LTE only'. If it has LTE but you can make calls over 3G, choose 'LTE/3G only'. If it does not have LTE, but can make calls over 3G, choose '3G only'. If you can't make calls over 3G, you will sadly have to use the regular LTE or 3G modes (which happily downgrade to 2G).

Why isn't DivestOS based on X operating system?¶

LineageOS has superb device compatibility across the board, along with a strict set of baseline requirements. Our build scripts are mostly universal so adding an alternate base if needed is easily doable.

Why did you only partially remove VoLTE?¶

Many carriers are phasing out their 2G/3G cell towers. Soon it will only be possible to make calls using VoLTE.

Why did you remove the weather providers?¶

Because they all transmit your location on a somewhat fixed schedule over HTTP.

Will you add that one theme engine?¶

No.

How can I sandbox my apps?¶

All apps on Android are already sandboxed. If you want to be able to grant less-trustworthy apps permissions that they demand such as contacts or files access then install them in a work profile (eg. Shelter). This would let them access any saved contacts or files in the work profile but not of your true main user. So be sure to not actually store any sensitive information in the work profile!

Can apps access hardware identifiers like the serial number or IMEI?¶

Android 10 and higher prohibits all user apps from accessing: serial number, Wi-Fi & Bluetooth MAC addresses, IMEI, and IMSI. DivestOS 16.0 and higher also ensures apps with a lower targetSdk cannot access the serial number.

Does DivestOS contain proprietary code?¶

Yes. All of the devices have hundreds to thousands of proprietary blobs used for hardware enablement. This applies to every aftermarket Android OS and every known shipping Android device. However unlike other systems, DivestOS goes to a great extent to remove proprietary blobs that are not truly necessary as is handled here.

Does DivestOS still contain non-device specific proprietary code?¶

Yes. Of note: GrapheneOS, CalyxOS, LineageOS, and others contain these too.

Chromium/Mulch contains Google Play Services and Firebase libraries. Removal of this would noticeable slow down updates leaving users exposed to known security issues for longer.
ImsServiceEntitlement on A12/19.1 and higher contains Google Play Services and Firebase libraries. Removal of this would break calling functionality on select carriers that utilize FCM for IMS enablement. DivestOS removed this in the September 2023 release.
The Car/DebuggingRestrictionController on A12/19.1 and higher contains Google Play Services and Firebase libraries. DivestOS removed this in the September 2023 release.

Why isn't root included/supported?¶

DivestOS does not support or encourage the use of root or runtime modification frameworks.
Such tools will break the following functions:

Bootloader locking on verified boot capable devices, preventing the system from booting.
Verified boot on capable devices, preventing the system from booting.
Incremental delta OTA updates, will fail to flash.
You will not be able to use the DivestOS recovery. DivestOS recovery only flashes same-signed ZIPs.
Lineage add-on backuptool is removed from DivestOS, you will have to reflash your changes every update.
Will break the trust model that AOSP employs and reduce the integrity of the system.

Here are some common use cases of rooting and alternatives if available:

Network Restriction: DivestOS already lets you restrict network for each app by connection type (cellular/Wi-Fi/VPN), when in the background, and optionally completely revoke NETWORK permission.
Ad/Tracker Blocking: DivestOS includes a tailored HOSTS file by default for such blocking. The user can further choose to use an alternative DNS or use a local VPN app such as DNS66 or NetGuard.
Permission Control: Modern AOSP provides far more control of permissions than older versions.
Data Spoofing: You can run apps in a work profile via Shelter/Insular or in a separate user profile to minimize data available to apps when granted related permissions.
Backup: DivestOS includes SeedVault on Q/R/S/T for backing up apps and their data to Nextcloud or USB OTG.
Overclocking: Most mobile system-on-chips have their RAM stacked above the processor. Heat kills. Overclocking can and will reduce the life-span of your device.
App Removal: Modern AOSP already lets you strictly disable most system installed apps. Furthermore DivestOS already includes far fewer system apps compared to most other operating systems.
Battery Saving: Modern AOSP lets you prohibit apps from running in the background completely and has more advanced idle battery saving features.
Battery Analysis: You can use Battery Historian via ADB for extremely detailed battery usage reports.

Application Compatibility¶

So Google apps and other proprietary apps won't work at all?¶

Many apps will work just fine. Status of some apps is documented here

Apps that hard depend on Play Services won't work, but may work with microG enabled.
Apps that depend on FCM/GCM without a fallback won't have notifications, but may work with microG enabled.
Apps that mandate Google login won't work, but may work with microG enabled.
Apps that depend on SafetyNet won't work.
Apps that depend on DRM won't work.
Apps that depend on Play Asset Delivery won't work.
Apps that Aurora Store labels as "GSF dependent" may actually work just fine.
Android Auto won't work.
Some games will be broken by the hardened memory allocator, pick a 32-bit device in the Aurora `spoof manager` instead.
While not for DivestOS, there is a large list of banking apps and their compatibility status regarding SafetyNet & Play Services documented here.

If you have an app that isn't working and doesn't contain an error message covering the above (SafetyNet/DRM/Play), try:

Allowing self debugging: Settings > Security > Enable native code debugging > checked
Disabling the content blocker: Settings > Security > Disable DNS content blocker > checked (if this fixes it please report so it can be excluded from list)
17.1 and lower only: Try installing the APK with the source spoofed to the Play Store: adb push example.apk /data/local/tmp && adb shell pm install -i "com.android.vending" -r /data/local/tmp/example.apk
Joining the chat and asking for help.

There are also alternative ways to use an incompatible app:

See if there is an official (progressive) web app version of the app.
Some services have phone numbers you can call to interact with. (eg. Uber)
Try to find an official version of the app on the Amazon or Huawei app store. These are unlikely to have any Google dependencies. Be careful as both stores have many fake/impostor apps.

Anything important I should know about microG?¶

The 'Google device registration' and 'Google SafetyNet' options WILL make microG connect to Google servers.
The 'Cloud Messaging' option WILL make microG maintain a persistent connection to Google servers.
The 'Cloud Messaging' option does NOT require a Google account.
The 'Google SafetyNet' option WILL download and execute proprietary obfuscated code from Google and is strongly NOT recommended.
While microG itself is open source, any apps talking to it will do so using the proprietary Google Play Services library.

How do I enable microG?¶

microG is NOT supported and NOT recommended, however it can work in an unprivileged fashion on DivestOS 17.1 and higher after the July 2023 update.

Note: microG on DivestOS is only visible to other apps in the same profile as itself.
Open system Settings, Security, and toggle on the 'microG enablement' option.
Open F-Droid, Settings, Repositories, and enable the 'microG' repo. If it isn't listed you can add it manually.
In F-Droid search for and install the latest version of the following apps: microG Services Core, microG Services Framework Proxy, FakeStore.
Note: F-Droid will NOT suggest the latest version of microG as it is marked a beta, but that beta is mandatory. You must scroll down to the versions and manually choose it.
microG will now work.
Tip: If you didn't flip the toggle on before installing, simply flip it on and reboot.

How should I configure microG?¶

Depending on the apps you want to use there are a few different ways you can use microG.

Some apps don't need microG but check that they were installed via Play, in this case you only need FakeStore and to install the app via `Aurora Store` or `Obtainium`. This mechanism only works on 18.1+ currently, adb workaround still necessary on older versions.
Some apps will work with microG simply installed without any Google connections, in this case it is strongly recommended to revoke Network permission from the microG app.
Some apps need push notifications via Google, for them you must let microG maintain a persistent identifiable connection to Google. Enable 'Google device registration' and 'Cloud Messaging' in microG.
Some apps require a captcha to be performed by the user, for them you can enable the 'Google SafetyNet' option.
Some apps require SafetyNet to work, while the option to enable it currently exists it will not work in the unprivileged mode that DivestOS uses and will be removed in a future update.

Networking¶

Why haven't you completely changed the default DNS servers?¶

Currently Quad9 is used for DNS fallback and for tethering. Switching it by default for cell would break VoLTE, SMS, MMS, and Visual Voicemail. And switching it for Wi-Fi could potentially break access to some LAN devices.

Should I use Private DNS?¶

Generally yes you should, otherwise whatever DNS server is advertised by your carrier or Wi-Fi network will be used.
Do note however that Private DNS despite its name has limited privacy benefits (due to lack of ESNI/ECH), but does have security benefits and when combined with a DNSSEC enabled resolver will better ensure your DNS requests are not tampered with.

Should I use Private DNS when using a VPN/Tor?¶

If you want to use the built-in content blocker of DivestOS you must enable Private DNS.
If you use NetGuard/RethinkDNS/DNS66/Blokada or any VPN provider with a built-in content blocker you should disable Private DNS.
If you're using Tor via Orbot's VPN mode and want an app to access Onion Services you must disable Private DNS.
Otherwise you should consider what you value more: the content blocker or ensuring the VPN handles DNS.
In the case you do use Private DNS with Tor or a real VPN, the Private DNS host will not learn your true IP as the requests will be routed over the VPN slot.

How do I control network access for an app?¶

For simply blocking an app from say using mobile data, use the built-in data restrictions: App info > Mobile data & Wi-fi
For completely denying an app access to networking functions entirely, revoke the Network permission: App info > Permissions > Network
For blocking ads/trackers: that is already done via the built-in content filter and there is nothing to configure.

XYZ website is blocked! How do I disable the content blocker?¶

Settings > Security > Disable DNS content blocker > Enabled

How to set a stable MAC address for a specific Wi-Fi network?¶

Settings > Network & internet > Internet > Tap the gear next to the specific Wi-Fi network > Privacy > Use per-network randomized MAC.

How can I use two VPNs at once?¶

You cannot chain VPNs, but you can route different apps through different VPNs via the work profile feature enabled through an app like Shelter. Your main profile can have one VPN, and your work profile another. This is very useful for eg. main profile through Orbot/Tor and work profile via a trusted or self-hosted VPN.

Why won't my work profile use my main profile VPN?¶

Profiles are completely separate in that regard. You must setup your preferred VPN in the work profile too.

Can I route connected hotspot devices via the VPN?¶

Yes, you can route them via the main profile VPN. Enable this in Settings > Network & internet > Hotspot & tethering > Allow clients to use VPNs.

Freedom¶

Why are you hosting on GitHub.com and GitLab.com if they are proprietary?¶

Because a lot of people have existing accounts on them which reduces the barrier to entry for contributing. You are otherwise free to contribute via Codeberg or e-mail patches to us if you prefer.

Why are you wasting your time with Android? It's clear that Google has been slowly killing AOSP every release!¶

Android is a legitimately fantastic operating system and no other mobile platform has as many open source apps as it does. F-Droid as of February 2023 has over 4,000 FOSS apps!

Other Things¶

Where can I talk to other users?¶

Please see the community page.

How do you say DivestOS?¶

[die-vEst OH ES]
/daɪˈvɛstˌoʊ ˈɛs/

What VPN/email/boat rental services do you recommend?¶

¯\_(ツ)_/¯

Why does DivestOS not use the word "ROM" anywhere on its website?¶

DivestOS is an aftermarket operating system with a strict set of standards it strives to achieve.
Not a poorly documented, code over the wall, haphazardly maintained "ROM".

What are some misconceptions I should be aware of?¶

If you encounter a serious issue, wiping is almost never the solution.
In-place upgrades are supported whenever possible.
Wiping cache does absolutely nothing.
You can still install updates when the bootloader is locked.
`fastboot update xyz.zip` does not replace your bootloader.
UnifiedNlp is not required for apps to acquire location.
Network location providers, such as Play and UnifiedNlp, do not make GPS acquire a lock quicker.

How long does it take to compile all supported devices?¶

As of 2023/11/01, it takes a bit over two days on an all NVME, 64GB RAM, Ryzen 7950X system.

Why do older branches compile quicker?¶

Older branches often have fewer 64-bit devices. This means only 32-bit code has to be compiled as opposed to 32-bit and 64-bit code.
Older branches have less features/apps, which means less code to compile.
Older branches have fewer devices that need to be compiled.
Older branches compile with fewer compile-time sanitizers or optimizations.

I want to sell devices with DivestOS preloaded, what should I know?¶

Selling devices with official builds of DivestOS installed is OKAY and within the license. Some preferred suggestions:

Handle the sale in good faith.
Do not market DivestOS as a magic bullet of privacy and/or security.
Verify the GPG signature and checksums of the builds you download/install.
Use Extirpater + factory reset to ensure no previous user data remains.
Ensure the device firmware is up to date before flashing.
Use the DivestOS recovery if supported.
Do not modify any system or firmware partitions such as /system, /vendor, or /boot.
Lock the bootloader if supported.
If the device requires a token or keyfile to unlock the bootloader, provide it to the user.
Leave it at the setup screen.
Leave the default wallpaper.
If you preload apps only source from the existing F-Droid repositories.

If you are not using official builds of DivestOS:

Make it clear to your users that it is unofficial.
Use the branding variables in the scripts to rebrand it.
You must make your sources available to your users as per the original repositories' respective licenses. Compliance is mandatory!
Consider upstreaming any appropriate changes.