This article can be shared under the terms of the CC BY-SA 4.0 license.

Introduction

Nowadays, mobile devices come as non-free/libre and insecure systems, often filled with bloatware and spyware.

This is an attempt to respond to this problem, by implementing the following principles:

• move, as much as possible towards free/libre open source software
• minimize exposure to centralized tools (e.g. Google Play and tools such as gmail, Google Calendar, etc.)
• keep all main functionalities of a personal and professional state-of-the-art mobile device (phone, SMS, agenda and contact sync, internet, apps, camera, GPS…), happily skipping the frills
• keep data portable in open formats (in particular: agenda, contacts, SMS)
• secure mobile phone data and communications through encryption
• find pragmatic compromises, keeping in mind that some components are harder to free (e.g. hardware)

I had already installed Cyanogenmod 12 and 13 on a Galaxy S4 but was too lazy to publish my notes (+ I didn’t know markdown then) and now I feel the urge to give back to the community, hoping that some people will come with robust automation to make these tools available to more users.
I hope the present tutorial can be helpful to some readers. It should be accessible to most GNU/Linux sysadmins with no prior knowledge of Android or Cyanogenmod.

NB:

• Cyanogenmod 13.0 is a free equivalent of Android 6.0 codename "Marshmallow", Android’s last release that starts being deployed
• I would have loved to use Replicant, but it did not seem able, yet, to feature all functionalities I needed
• The following install also works with a Windows Owncloud server, using xampp but note that Owncloud is not supported on Windows anymore (another good reason to use GNU/Linux instead).
• I am not an expert in any of those subjects and cannot provide help beyond this tutorial. If you need extra help, I suggest you try http://forum.xda-developers.com/.

If you find errors or have suggestions, feel free to comment. Translations are also welcome (in French, in particular).

Disclaimer

The following hacks are for experimental purpose only. Be aware that trying to hack your phone presents some risks, including:

• permanently loosing your data
• voiding warranty (you may want to read https://fsfe.org/freesoftware/legal/flashingdevices.en.html too)
• "bricking" your phone (i.e. turn it into a useless brick with non-functional software or even hardware, which can only be repaired by the phone manufacturer)
• security breaches due to unofficial hacks

I WILL TAKE NO RESPONSIBILITY FOR ANYTHING THAT MAY HAPPEN IF YOU DECIDE TO EXPERIMENT ANY OF THE FOLLOWING.

That being said, if you dare, have fun…

Machines and users

This tutorial assumes the following configuration:

• A GNU/Linux PC, named NebulonB (refers to hostname or local static address such as 192.168.x.y), with future ownclound user named Han
• An Android mobile phone (here, a Galaxy S5, a.k.a SM-G900F), named Falcon
• Connections between Falcon and NebulonB shall use the original Samsung USB 2.0 cable (or a good quality USB 2.0 cable – USB3.0 cable might not work – untested)

NB:

• Most of what is being said here would probably work with other Android devices than the Galaxy S5: you need to check TWRP and Cyanogenmod websites to see if your device is supported.

General reference about updating firmware and freeing Android phones

• http://www.all-things-android.com/content/guide-flashing-samsung-firmware
• https://freeyourandroid.org/

Understand special reboot modes on Falcon

Android phones can reboot in "special" modes, using tools that are already on your phone (the official "stock Android" software) or by some alternative tools.

"Download mode"

• Power off
• Press simultaneously "volume down" + "home" + "power", wait about 5 s
• At prompt, release buttons and press volume up as required to confirm

"Recovery mode"

• Power off
• Press simultaneously "volume up" + "home" + "power", wait about 5 s
• When seeing unusual characters in the upper left corner, release buttons

Install Cyanogenmod 6.0 on Falcon, using Heimdall and TWRP

Backup Falcon data

Again, remember that you may loose some or all of it by experimenting the following.

Prepare Falcon and NebulonB for connection.

• Ensure 80%+ battery
• Enable developer mode (Parameters / "More" / "About device" and tap 7 times on "Build version")
• Go back to "About device" / "Developer options" / "USB debugging" and check)
• Connect Falcon to NebulonB
• Accept fingerprint

• Get Android Debug Bridge (adb) package to access Falcon

  sudo apt-get install android-tools-adb
  adb devices

• Check Falcon is listed as a device

Compile and install Heimdall 1.4.1+ on NebulonB

Heimdall is a piece of free software to flash Falcon’s ROM. Note that versions (eg. 1.4.0) that come with most GNU/Linux distributions will not work. We need to get the latest.

• On NebulonB, run:

  sudo apt-get install build-essential cmake zlib1g-dev qt5-default libusb-1.0-0-dev libgl1-mesa-glx libgl1-mesa-dev
  git clone git://github.com/Benjamin-Dobell/Heimdall.git
  mkdir -p Heimdall/build
  cd Heimdall/build
  cmake -DCMAKE_BUILD_TYPE=Release ..
  make
  cd bin
  ./heimdall version
  sudo cp bin/* /usr/local/bin

References

• https://wiki.cyanogenmod.org/w/Install_and_compile_Heimdall
• https://github.com/Benjamin-Dobell/Heimdall/tree/master/Linux

Install TWRP Recovery on Falcon, using Heimdall from NebulonB

• On NebulonB, get the proper TWRP recovery image (go to https://dl.twrp.me/klte/twrp-2.8.7.0-klte.img then download from there – no direct download), henceforth named recovery.img.
• Reboot Falcon in download mode
• Connect Falcon to NebulonB

• From NebulonB, check connection and ability to read Falcon’s pit:

  sudo heimdall version
  sudo heimdall detect
  sudo heimdall print-pit --no-reboot

• From NebulonB, backup Falcon’s stock pit:
  (may require to disconnect/reconnect Falcon and even to reboot to get connection again)

  sudo heimdall download-pit --output FalconStock.pit --no-reboot

• From NebulonB, flash Falcon’s ROM:
  (may require to disconnect/reconnect Falcon and even to reboot to get connection again)

  sudo heimdall flash --RECOVERY recovery.img --no-reboot

• Monitor blue transfer bar that appears on Falcon, showing the recovery software being transferred (takes 5s or so)
• Disconnect Falcon
• Manually reboot Falcon into recovery mode (normal reboot will result on custom recovery being overwritten by stock recovery, which will require a new install)

• Reboot Falcon and accept to install root when asked by TWRP recovery

Backup Falcon using TWRP (or, alternatively, adb root shell)

• Boot Falcon in TWRP recovery mode
• Backup Falcon (default checkboxes + EFS and Modem) to sdcard
• Copy the backup file on NebulonB

Alternatively, you also may use a root shell to backup and restore Falcon:

• EFS (IMEI number)
• modems (broadband version, wireless device MAC address, product code, system ID and NV data)
• pit file (partition table)

References

• http://forum.xda-developers.com/showthread.php?t=2737448

Install Cyanogenmod 6.0 on Falcon

NB: Cyanogenmod ROM codename for Galaxy S5 is "klte"

• On NebulonB, get cm-13.0 nightly zip from https://download.cyanogenmod.org/?device=klte
• Put zip on sdcard, from NebulonB (SDcart reader or cable) (or using adb push on external /storage/)
• Boot in TWRP recovery mode
• Wipe (factory reset, i.e. data, cache, dalvik)
• install zip from sdcard
• reboot

NB: Seeing your files require to select "MTP" (even if already selected…) in Developer menu / Select USB configuration.

References

• https://wiki.cyanogenmod.org/w/Install_CM_for_klte

Enable Developer options & configure root on Falcon

On Falcon:

• Enable Developer options: Go to Settings> About phone> Tap seven times on Build number.
• Go back to Settings main menu and open Developer options from there.
• Look for Root access setting, and set it as you need

References

• http://androiding.how/enable-root-cm13/
• NB: this is simpler than rooting/unrooting Stock Marshmallow that requires to get https://download.chainfire.eu/supersu and install it in recovery mode
• https://www.youtube.com/watch?v=Obfdz3UVYfs
• http://androiding.how/how-to-flash-supersu-using-twrp-recovery-and-root-any-android-device/
• https://www.youtube.com/watch?v=KoHGJl2FBpA
• http://forum.xda-developers.com/showpost.php?p=63615067&postcount=2459
• https://download.chainfire.eu/743/SuperSU/BETA-SuperSU-v2.52.zip

Encrypt Falcon

Today (2015-01-04), CM seems to have an encryption problem that we need to take care of:

• Unencrypted systems have a block device (say /dev/block/mmcblk0p26) where /data and /sdcard are ext4 filesystems
• On encrypted systems, /dev/block/mmcblk0p26 is an encryption container and /data and /sdcard are mounted on /dev/block/dm-0.
  However, there is not enough left space on block device which should be 16KiB smaller than the partition to host the partition itself.

To fix this:

• Boot Falcon in TWRP recovery mode and connect it to NebulonB

• From NebulonB, login as root and list mounted partitions

  adb root
  adb shell
  mount

• Find the block device that hosts /data and /sdcard (in my case /dev/block/mmcblk0p26), then umount /data, /sdcard and
  use tune2fs to retrieve "Block count":

  umount /data
  umount /sdcard
  tune2fs -l /dev/block/mmcblk0p26

  (mine was 3106039)

• Check/fix ext4 filesystem (required by resize2fs), then resize it by substracting 8 to the Block count
  (in my case, the result is 3106031), then recheck/fix it one last time (may find/fix a minor error in fs)

  e2fsck -f -p /dev/block/mmcblk0p26
  resize2fs /dev/block/mmcblk0p26 3106031
  e2fsck -f -p /dev/block/mmcblk0p26

• Reboot Falcon
• Set Lockscreen Password (will be used for encryption) and enter a password P1 (a serious one, not a PIN code)
• Go to Security and Encrypt Phone (takes less than 5 min)

• Change the lockscreen password to P2, a more practical one (and remember P1, it is still the one that will decrypt your data at boot)

NB: To change P1, consider (I haven’t checked) using:

vdc cryptfs changepw pin/password/etc oldpassword newpassword

References

• http://forum.cyanogenmod.org/topic/116348-cyanogen-121-encryption-setup-does-not-finish/#entry560356
• http://forum.cyanogenmod.org/topic/118379-encryption-broken-on-cm-130-nightlies/
• https://android.stackexchange.com/questions/117405/how-do-you-encrypt-your-device-running-cyanogenmod-12-1
• https://source.android.com/security/encryption/
• http://androidcreations.weebly.com/how-to-get-android-mounts-and-partition-images.html
• https://blog.oxplot.com/decrypt-data-cm-recovery/

Get mobile apps for Falcon

Get app stores

F-Droid (free/libre opensource software store)

• Download the .apk file from https://f-droid.org/ and put it on the external sdcard
• On device, using file manager, click to install

OpenGapps (alternative to Google Play for Google Apps – untested yet)

• On http://opengapps.org/, get 6.0 nano (+ test pico) versions
• Put zips on sdcard then reboot device in recovery mode, install relevant zip and reboot

References

• http://androiding.how/android-6-0-marshmallow-gapps/
• https://wiki.cyanogenmod.org/w/Google_Apps
• https://github.com/opengapps/opengapps/wiki/Package-Comparison
• NB: Android 6.0 may require a patch to work with opengapps

Get favourite apps

For instance,

• From F-Droid:
  • DAV Droid (synchronizer for agenda and contacts)
  • Document Viewer (to view pdfs for instance)
  • OrBot and OrWeb (TOR encrypted communications)
  • OsmAnd~ (openstreetmap: includes offline maps, GPS directions)
  • Owncloud client
  • Twidere (twitter client)
  • VLC (video player)
• From opengapps (untested)
• You may also get somme Google apps without store (nor update) on https://www.apkmirror.com/

SMS backup & restore

Backup

• From NebulonB connected to Falcon:

  adb root
  adb shell
  cd /data/user/0/com.android.providers.telephony/databases/
  cp mmssms.db mmssms.db_backup
  exit
  adb pull /data/user/0/com.android.providers.telephony/databases/mmssms.db_backup

Restore

• From NebulonB connected to Falcon:

  adb push mmssms-backup.db /data/user/0/com.android.providers.telephony/databases/mmssms.db

• Reboot Falcon

Synchronize agenda & contacts between Falcon and NebulonB using owncloud and DAV Droid

Architecture

Our objective is to have agenda and contacts in open formats (CalDAV for the agenda, CardDAV for contacts), accessible and synchronized between NebulonB and Falcon.

The architecture is as follows:

• NebulonB hosts a local apache / owncloud server
• On NebulonB, the agenda and contacts can be accessed
• Using a web browser connecting to localhost
• Using the Lightning calendar extension of Mozilla Thunderbird, once synchronized with owncloud
• On Falcon, the agenda and contacts
• Are synchronized with NebulonB using DAV Droid
• Are accessible in the native Cyanogenmod calendar and contact apps
• Communications are secured via https encryption, using a self-signed certificate

Get an SSL certificate on NebulonB (future Apache server)

To secure communications with SSL, you may get a certificate on Let’s encrypt or generate your own.

• To generate an x509 certificate (4096 bit, valid for 10 years) called my_cerficate.crt, with key in my_cerficate.key
  (NB: when prompted for Common name during interactive generation, enter the IP address of the server hosting the certificate):

  openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout my_cerficate.key -out my_cerficate.crt

• Move certificate and key in Apache configuration tree:

  move my_cerficate.crt /usr/local/apache2/conf/ssl.crt/server.crt
  move my_cerficate.key /usr/local/apache2/conf/ssl.key/server.key

Install and secure Apache/PHP/MySQL and Owncloud on NebulonB

• Install a LAMP stack on a local server, (possibly on a virtual machine or a docker container)
• Enable, if required, LoadModule rewrite_module in /usr/local/apache2/conf/httpd.conf
• Secure the LAMP stack, in addition to NebulonB’s general security.
• Install owncloud (with SSL support)
• Add NebulonB to trusted_domains in $OWNCLOUND/config/config.php

• Ensure that https is always enabled when connecting to owncloud:

  <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{REQUEST_URI} owncloud
  RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L] 
  </IfModule>

• Check secure connection to OwnCloud with https://NebulonB/owncloud

References

• https://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert
• http://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/
• http://www.youtube.com/watch?v=PQZ8wzV9VU8
• http://jessesnet.com/development-notes/2015/docker-lamp-stack/
• https://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers/

On NebulonB’s owncloud, create user Han and upload his existing agenda and contacts (if any)

• Create user Han on NebulonB’s owncloud
• Upload Han-calendar.ics (accessible via CalDAV at https://NebulonB/owncloud/remote.php/caldav/calendars/Han/Han-calendar)
• Upload Han-contacts.ics (accessible via CardDAV at https://NebulonB/owncloud/remote.php/carddav/addressbooks/gannet/contacts)
• (optional but convenient) Create synchronized a remote calendar on Mozilla Thunderbird/Lightning, pointing at https://NebulonB/owncloud/remote.php/caldav/calendars/Han/Han-calendar

Install SSL certificate on Falcon

• Copy my_cerficate.crt from NebulonB to Falcon’s SDcard
• In Falcon’s Parameters/Security, import certificate from SDcard (should be visible as a user cerficate)
• NB: a warning message will probably popup if the certificate is self-signed but no worries

Install and configure DAV Droid on Falcon

Configure DAV Droid and, using Han’s owncloud login and password:

• Create a calendar account synchronized with https://NebulonB/owncloud/remote.php/caldav/calendars/Han/Han-calendar,
• Create a contact account synchronized with https://NebulonB/owncloud/remote.php/carddav/calendars/Han/Han-contacts
• In Falcon’s Parameters>Confidentiality, allow DAVDroid to use personal data for calendar and contacts

References

• http://davdroid.bitfire.at/configuration
• http://a3nm.net/blog/davdroid.html

Thanks

Thanks to

• @hugoroyd, for @FSFE references on Free Android and warranty loss
• @klorydryk, for advice on CalDAV and CardDAV
• @jerezim, for the “It takes two hours to install Cyanogenmod on your mobile” challenge
• @sfermigier, for showing me markdown