This article can be shared under the terms of the CC BY-SA 4.0 license.
- Introduction
- Disclaimer
- Machines and users
- General reference about updating firmware and freeing Android phones
- Understand special reboot modes on Falcon
- Install Cyanogenmod 6.0 on Falcon, using Heimdall and TWRP
- Backup Falcon data
- Prepare Falcon and NebulonB for connection.
- Compile and install Heimdall 1.4.1+ on NebulonB
- Install TWRP Recovery on Falcon, using Heimdall from NebulonB
- Backup Falcon using TWRP (or, alternatively, adb root shell)
- Install Cyanogenmod 6.0 on Falcon
- Enable Developer options & configure root on Falcon
- Encrypt Falcon
- Get mobile apps for Falcon
- SMS backup & restore
- Synchronize agenda & contacts between Falcon and NebulonB using owncloud and DAV Droid
- Architecture
- Get an SSL certificate on NebulonB (future Apache server)
- Install and secure Apache/PHP/MySQL and Owncloud on NebulonB
- On NebulonB’s owncloud, create user Han and upload his existing agenda and contacts (if any)
- Install SSL certificate on Falcon
- Install and configure DAV Droid on Falcon
- Thanks
Introduction
Nowadays, mobile devices come as non-free/libre and insecure systems, often filled with bloatware and spyware.
This is an attempt to respond to this problem, by implementing the following principles:
- move, as much as possible towards free/libre open source software
- minimize exposure to centralized tools (e.g. Google Play and tools such as gmail, Google Calendar, etc.)
- keep all main functionalities of a personal and professional state-of-the-art mobile device (phone, SMS, agenda and contact sync, internet, apps, camera, GPS…), happily skipping the frills
- keep data portable in open formats (in particular: agenda, contacts, SMS)
- secure mobile phone data and communications through encryption
- find pragmatic compromises, keeping in mind that some components are harder to free (e.g. hardware)
I had already installed Cyanogenmod 12 and 13 on a Galaxy S4 but was too lazy to publish my notes (+ I didn’t know markdown then) and now I feel the urge to give back to the community, hoping that some people will come with robust automation to make these tools available to more users.
I hope the present tutorial can be helpful to some readers. It should be accessible to most GNU/Linux sysadmins with no prior knowledge of Android or Cyanogenmod.
NB:
- Cyanogenmod 13.0 is a free equivalent of Android 6.0 codename "Marshmallow", Android’s last release that starts being deployed
- I would have loved to use Replicant, but it did not seem able, yet, to feature all functionalities I needed
- The following install also works with a Windows Owncloud server, using xampp but note that Owncloud is not supported on Windows anymore (another good reason to use GNU/Linux instead).
- I am not an expert in any of those subjects and cannot provide help beyond this tutorial. If you need extra help, I suggest you try http://forum.xda-developers.com/.
If you find errors or have suggestions, feel free to comment. Translations are also welcome (in French, in particular).
Disclaimer
The following hacks are for experimental purpose only. Be aware that trying to hack your phone presents some risks, including:
- permanently loosing your data
- voiding warranty (you may want to read https://fsfe.org/freesoftware/legal/flashingdevices.en.html too)
- "bricking" your phone (i.e. turn it into a useless brick with non-functional software or even hardware, which can only be repaired by the phone manufacturer)
- security breaches due to unofficial hacks
I WILL TAKE NO RESPONSIBILITY FOR ANYTHING THAT MAY HAPPEN IF YOU DECIDE TO EXPERIMENT ANY OF THE FOLLOWING.
That being said, if you dare, have fun…
Machines and users
This tutorial assumes the following configuration:
- A GNU/Linux PC, named
NebulonB
(refers to hostname or local static address such as 192.168.x.y), with future ownclound user namedHan
- An Android mobile phone (here, a Galaxy S5, a.k.a SM-G900F), named
Falcon
- Connections between Falcon and NebulonB shall use the original Samsung USB 2.0 cable (or a good quality USB 2.0 cable – USB3.0 cable might not work – untested)
NB:
- Most of what is being said here would probably work with other Android devices than the Galaxy S5: you need to check TWRP and Cyanogenmod websites to see if your device is supported.
General reference about updating firmware and freeing Android phones
- http://www.all-things-android.com/content/guide-flashing-samsung-firmware
- https://freeyourandroid.org/
Understand special reboot modes on Falcon
Android phones can reboot in "special" modes, using tools that are already on your phone (the official "stock Android" software) or by some alternative tools.
"Download mode"
- Power off
- Press simultaneously "volume down" + "home" + "power", wait about 5 s
- At prompt, release buttons and press volume up as required to confirm
"Recovery mode"
- Power off
- Press simultaneously "volume up" + "home" + "power", wait about 5 s
- When seeing unusual characters in the upper left corner, release buttons
Install Cyanogenmod 6.0 on Falcon, using Heimdall and TWRP
Backup Falcon data
Again, remember that you may loose some or all of it by experimenting the following.
Prepare Falcon and NebulonB for connection.
- Ensure 80%+ battery
- Enable developer mode (Parameters / "More" / "About device" and tap 7 times on "Build version")
- Go back to "About device" / "Developer options" / "USB debugging" and check)
- Connect Falcon to NebulonB
- Accept fingerprint
-
Get Android Debug Bridge (adb) package to access Falcon
sudo apt-get install android-tools-adb adb devices
-
Check Falcon is listed as a device
Compile and install Heimdall 1.4.1+ on NebulonB
Heimdall is a piece of free software to flash Falcon’s ROM. Note that versions (eg. 1.4.0) that come with most GNU/Linux distributions will not work. We need to get the latest.
-
On NebulonB, run:
sudo apt-get install build-essential cmake zlib1g-dev qt5-default libusb-1.0-0-dev libgl1-mesa-glx libgl1-mesa-dev git clone git://github.com/Benjamin-Dobell/Heimdall.git mkdir -p Heimdall/build cd Heimdall/build cmake -DCMAKE_BUILD_TYPE=Release .. make cd bin ./heimdall version sudo cp bin/* /usr/local/bin
References
- https://wiki.cyanogenmod.org/w/Install_and_compile_Heimdall
- https://github.com/Benjamin-Dobell/Heimdall/tree/master/Linux
Install TWRP Recovery on Falcon, using Heimdall from NebulonB
- On NebulonB, get the proper TWRP recovery image (go to https://dl.twrp.me/klte/twrp-2.8.7.0-klte.img then download from there – no direct download), henceforth named recovery.img.
- Reboot Falcon in download mode
- Connect Falcon to NebulonB
-
From NebulonB, check connection and ability to read Falcon’s pit:
sudo heimdall version sudo heimdall detect sudo heimdall print-pit --no-reboot
-
From NebulonB, backup Falcon’s stock pit:
(may require to disconnect/reconnect Falcon and even to reboot to get connection again)sudo heimdall download-pit --output FalconStock.pit --no-reboot
-
From NebulonB, flash Falcon’s ROM:
(may require to disconnect/reconnect Falcon and even to reboot to get connection again)sudo heimdall flash --RECOVERY recovery.img --no-reboot
- Monitor blue transfer bar that appears on Falcon, showing the recovery software being transferred (takes 5s or so)
- Disconnect Falcon
- Manually reboot Falcon into recovery mode (normal reboot will result on custom recovery being overwritten by stock recovery, which will require a new install)
-
Reboot Falcon and accept to install root when asked by TWRP recovery
Backup Falcon using TWRP (or, alternatively, adb root shell)
- Boot Falcon in TWRP recovery mode
- Backup Falcon (default checkboxes + EFS and Modem) to sdcard
- Copy the backup file on NebulonB
Alternatively, you also may use a root shell to backup and restore Falcon:
- EFS (IMEI number)
- modems (broadband version, wireless device MAC address, product code, system ID and NV data)
- pit file (partition table)
References
Install Cyanogenmod 6.0 on Falcon
NB: Cyanogenmod ROM codename for Galaxy S5 is "klte
"
- On NebulonB, get cm-13.0 nightly zip from https://download.cyanogenmod.org/?device=klte
- Put zip on sdcard, from NebulonB (SDcart reader or cable) (or using adb push on external
/storage/
) - Boot in TWRP recovery mode
- Wipe (factory reset, i.e. data, cache, dalvik)
- install zip from sdcard
- reboot
NB: Seeing your files require to select "MTP" (even if already selected…) in Developer menu / Select USB configuration.
References
Enable Developer options & configure root on Falcon
On Falcon:
- Enable Developer options: Go to Settings> About phone> Tap seven times on Build number.
- Go back to Settings main menu and open Developer options from there.
- Look for Root access setting, and set it as you need
References
- http://androiding.how/enable-root-cm13/
- NB: this is simpler than rooting/unrooting Stock Marshmallow that requires to get https://download.chainfire.eu/supersu and install it in recovery mode
- https://www.youtube.com/watch?v=Obfdz3UVYfs
- http://androiding.how/how-to-flash-supersu-using-twrp-recovery-and-root-any-android-device/
- https://www.youtube.com/watch?v=KoHGJl2FBpA
- http://forum.xda-developers.com/showpost.php?p=63615067&postcount=2459
- https://download.chainfire.eu/743/SuperSU/BETA-SuperSU-v2.52.zip
Encrypt Falcon
Today (2015-01-04), CM seems to have an encryption problem that we need to take care of:
- Unencrypted systems have a block device (say
/dev/block/mmcblk0p26
) where/data
and/sdcard
are ext4 filesystems - On encrypted systems,
/dev/block/mmcblk0p26
is an encryption container and/data
and/sdcard
are mounted on/dev/block/dm-0
.
However, there is not enough left space on block device which should be 16KiB smaller than the partition to host the partition itself.
To fix this:
- Boot Falcon in TWRP recovery mode and connect it to NebulonB
-
From NebulonB, login as root and list mounted partitions
adb root adb shell mount
-
Find the block device that hosts
/data
and/sdcard
(in my case/dev/block/mmcblk0p26
), then umount/data
,/sdcard
and
usetune2fs
to retrieve "Block count":umount /data umount /sdcard tune2fs -l /dev/block/mmcblk0p26
(mine was 3106039)
-
Check/fix ext4 filesystem (required by
resize2fs
), then resize it by substracting 8 to the Block count
(in my case, the result is 3106031), then recheck/fix it one last time (may find/fix a minor error in fs)e2fsck -f -p /dev/block/mmcblk0p26 resize2fs /dev/block/mmcblk0p26 3106031 e2fsck -f -p /dev/block/mmcblk0p26
- Reboot Falcon
- Set Lockscreen Password (will be used for encryption) and enter a password P1 (a serious one, not a PIN code)
- Go to Security and Encrypt Phone (takes less than 5 min)
-
Change the lockscreen password to P2, a more practical one (and remember P1, it is still the one that will decrypt your data at boot)
NB: To change P1, consider (I haven’t checked) using:
vdc cryptfs changepw pin/password/etc oldpassword newpassword
References
- http://forum.cyanogenmod.org/topic/116348-cyanogen-121-encryption-setup-does-not-finish/#entry560356
- http://forum.cyanogenmod.org/topic/118379-encryption-broken-on-cm-130-nightlies/
- https://android.stackexchange.com/questions/117405/how-do-you-encrypt-your-device-running-cyanogenmod-12-1
- https://source.android.com/security/encryption/
- http://androidcreations.weebly.com/how-to-get-android-mounts-and-partition-images.html
- https://blog.oxplot.com/decrypt-data-cm-recovery/
Get mobile apps for Falcon
Get app stores
F-Droid (free/libre opensource software store)
- Download the
.apk
file from https://f-droid.org/ and put it on the external sdcard - On device, using file manager, click to install
OpenGapps (alternative to Google Play for Google Apps – untested yet)
- On http://opengapps.org/, get 6.0 nano (+ test pico) versions
- Put zips on sdcard then reboot device in recovery mode, install relevant zip and reboot
References
- http://androiding.how/android-6-0-marshmallow-gapps/
- https://wiki.cyanogenmod.org/w/Google_Apps
- https://github.com/opengapps/opengapps/wiki/Package-Comparison
- NB: Android 6.0 may require a patch to work with opengapps
Get favourite apps
For instance,
- From F-Droid:
- DAV Droid (synchronizer for agenda and contacts)
- Document Viewer (to view pdfs for instance)
- OrBot and OrWeb (TOR encrypted communications)
- OsmAnd~ (openstreetmap: includes offline maps, GPS directions)
- Owncloud client
- Twidere (twitter client)
- VLC (video player)
- From opengapps (untested)
- You may also get somme Google apps without store (nor update) on https://www.apkmirror.com/
SMS backup & restore
Backup
-
From NebulonB connected to Falcon:
adb root adb shell cd /data/user/0/com.android.providers.telephony/databases/ cp mmssms.db mmssms.db_backup exit adb pull /data/user/0/com.android.providers.telephony/databases/mmssms.db_backup
Restore
-
From NebulonB connected to Falcon:
adb push mmssms-backup.db /data/user/0/com.android.providers.telephony/databases/mmssms.db
-
Reboot Falcon
Synchronize agenda & contacts between Falcon and NebulonB using owncloud and DAV Droid
Architecture
Our objective is to have agenda and contacts in open formats (CalDAV for the agenda, CardDAV for contacts), accessible and synchronized between NebulonB and Falcon.
The architecture is as follows:
- NebulonB hosts a local apache / owncloud server
- On NebulonB, the agenda and contacts can be accessed
- Using a web browser connecting to localhost
- Using the Lightning calendar extension of Mozilla Thunderbird, once synchronized with owncloud
- On Falcon, the agenda and contacts
- Are synchronized with NebulonB using DAV Droid
- Are accessible in the native Cyanogenmod calendar and contact apps
- Communications are secured via https encryption, using a self-signed certificate
Get an SSL certificate on NebulonB (future Apache server)
To secure communications with SSL, you may get a certificate on Let’s encrypt or generate your own.
-
To generate an x509 certificate (4096 bit, valid for 10 years) called
my_cerficate.crt
, with key inmy_cerficate.key
(NB: when prompted forCommon name
during interactive generation, enter the IP address of the server hosting the certificate):openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout my_cerficate.key -out my_cerficate.crt
-
Move certificate and key in Apache configuration tree:
move my_cerficate.crt /usr/local/apache2/conf/ssl.crt/server.crt move my_cerficate.key /usr/local/apache2/conf/ssl.key/server.key
Install and secure Apache/PHP/MySQL and Owncloud on NebulonB
- Install a LAMP stack on a local server, (possibly on a virtual machine or a docker container)
- Enable, if required,
LoadModule rewrite_module
in/usr/local/apache2/conf/httpd.conf
- Secure the LAMP stack, in addition to NebulonB’s general security.
- Install owncloud (with SSL support)
- Add NebulonB to trusted_domains in $OWNCLOUND/config/config.php
-
Ensure that https is always enabled when connecting to owncloud:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} owncloud RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L] </IfModule>
-
Check secure connection to OwnCloud with https://NebulonB/owncloud
References
- https://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert
- http://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/
- http://www.youtube.com/watch?v=PQZ8wzV9VU8
- http://jessesnet.com/development-notes/2015/docker-lamp-stack/
- https://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers/
On NebulonB’s owncloud, create user Han and upload his existing agenda and contacts (if any)
- Create user
Han
on NebulonB’s owncloud - Upload
Han-calendar.ics
(accessible via CalDAV at https://NebulonB/owncloud/remote.php/caldav/calendars/Han/Han-calendar) - Upload
Han-contacts.ics
(accessible via CardDAV at https://NebulonB/owncloud/remote.php/carddav/addressbooks/gannet/contacts) - (optional but convenient) Create synchronized a remote calendar on Mozilla Thunderbird/Lightning, pointing at https://NebulonB/owncloud/remote.php/caldav/calendars/Han/Han-calendar
Install SSL certificate on Falcon
- Copy
my_cerficate.crt
from NebulonB to Falcon’s SDcard - In Falcon’s Parameters/Security, import certificate from SDcard (should be visible as a user cerficate)
- NB: a warning message will probably popup if the certificate is self-signed but no worries
Install and configure DAV Droid on Falcon
Configure DAV Droid and, using Han’s owncloud login and password:
- Create a calendar account synchronized with https://NebulonB/owncloud/remote.php/caldav/calendars/Han/Han-calendar,
- Create a contact account synchronized with https://NebulonB/owncloud/remote.php/carddav/calendars/Han/Han-contacts
- In Falcon’s Parameters>Confidentiality, allow DAVDroid to use personal data for calendar and contacts
References
Thanks
Thanks to
- @hugoroyd, for @FSFE references on Free Android and warranty loss
- @klorydryk, for advice on CalDAV and CardDAV
- @jerezim, for the “It takes two hours to install Cyanogenmod on your mobile” challenge
- @sfermigier, for showing me markdown