Free and secure your mobile device: installing Cyanogenmod 13.0 on Samsung Galaxy S5 with GNU/Linux

This article can be shared under the terms of the CC BY-SA 4.0 license.


Nowadays, mobile devices come as non-free/libre and insecure systems, often filled with bloatware and spyware.

This is an attempt to respond to this problem, by implementing the following principles:

  • move, as much as possible towards free/libre open source software
  • minimize exposure to centralized tools (e.g. Google Play and tools such as gmail, Google Calendar, etc.)
  • keep all main functionalities of a personal and professional state-of-the-art mobile device (phone, SMS, agenda and contact sync, internet, apps, camera, GPS…), happily skipping the frills
  • keep data portable in open formats (in particular: agenda, contacts, SMS)
  • secure mobile phone data and communications through encryption
  • find pragmatic compromises, keeping in mind that some components are harder to free (e.g. hardware)

I had already installed Cyanogenmod 12 and 13 on a Galaxy S4 but was too lazy to publish my notes (+ I didn’t know markdown then) and now I feel the urge to give back to the community, hoping that some people will come with robust automation to make these tools available to more users.
I hope the present tutorial can be helpful to some readers. It should be accessible to most GNU/Linux sysadmins with no prior knowledge of Android or Cyanogenmod.


  • Cyanogenmod 13.0 is a free equivalent of Android 6.0 codename "Marshmallow", Android’s last release that starts being deployed
  • I would have loved to use Replicant, but it did not seem able, yet, to feature all functionalities I needed
  • The following install also works with a Windows Owncloud server, using xampp but note that Owncloud is not supported on Windows anymore (another good reason to use GNU/Linux instead).
  • I am not an expert in any of those subjects and cannot provide help beyond this tutorial. If you need extra help, I suggest you try

If you find errors or have suggestions, feel free to comment. Translations are also welcome (in French, in particular).


The following hacks are for experimental purpose only. Be aware that trying to hack your phone presents some risks, including:

  • permanently loosing your data
  • voiding warranty (you may want to read too)
  • "bricking" your phone (i.e. turn it into a useless brick with non-functional software or even hardware, which can only be repaired by the phone manufacturer)
  • security breaches due to unofficial hacks


That being said, if you dare, have fun…

Machines and users

This tutorial assumes the following configuration:

  • A GNU/Linux PC, named NebulonB (refers to hostname or local static address such as 192.168.x.y), with future ownclound user named Han
  • An Android mobile phone (here, a Galaxy S5, a.k.a SM-G900F), named Falcon
  • Connections between Falcon and NebulonB shall use the original Samsung USB 2.0 cable (or a good quality USB 2.0 cable – USB3.0 cable might not work – untested)


  • Most of what is being said here would probably work with other Android devices than the Galaxy S5: you need to check TWRP and Cyanogenmod websites to see if your device is supported.

General reference about updating firmware and freeing Android phones

Understand special reboot modes on Falcon

Android phones can reboot in "special" modes, using tools that are already on your phone (the official "stock Android" software) or by some alternative tools.

"Download mode"

  • Power off
  • Press simultaneously "volume down" + "home" + "power", wait about 5 s
  • At prompt, release buttons and press volume up as required to confirm

"Recovery mode"

  • Power off
  • Press simultaneously "volume up" + "home" + "power", wait about 5 s
  • When seeing unusual characters in the upper left corner, release buttons

Install Cyanogenmod 6.0 on Falcon, using Heimdall and TWRP

Backup Falcon data

Again, remember that you may loose some or all of it by experimenting the following.

Prepare Falcon and NebulonB for connection.

  • Ensure 80%+ battery
  • Enable developer mode (Parameters / "More" / "About device" and tap 7 times on "Build version")
  • Go back to "About device" / "Developer options" / "USB debugging" and check)
  • Connect Falcon to NebulonB
  • Accept fingerprint
  • Get Android Debug Bridge (adb) package to access Falcon

    sudo apt-get install android-tools-adb
    adb devices
  • Check Falcon is listed as a device

Compile and install Heimdall 1.4.1+ on NebulonB

Heimdall is a piece of free software to flash Falcon’s ROM. Note that versions (eg. 1.4.0) that come with most GNU/Linux distributions will not work. We need to get the latest.

  • On NebulonB, run:

    sudo apt-get install build-essential cmake zlib1g-dev qt5-default libusb-1.0-0-dev libgl1-mesa-glx libgl1-mesa-dev
    git clone git://
    mkdir -p Heimdall/build
    cd Heimdall/build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    cd bin
    ./heimdall version
    sudo cp bin/* /usr/local/bin


Install TWRP Recovery on Falcon, using Heimdall from NebulonB

  • On NebulonB, get the proper TWRP recovery image (go to then download from there – no direct download), henceforth named recovery.img.
  • Reboot Falcon in download mode
  • Connect Falcon to NebulonB
  • From NebulonB, check connection and ability to read Falcon’s pit:

    sudo heimdall version
    sudo heimdall detect
    sudo heimdall print-pit --no-reboot
  • From NebulonB, backup Falcon’s stock pit:
    (may require to disconnect/reconnect Falcon and even to reboot to get connection again)

    sudo heimdall download-pit --output FalconStock.pit --no-reboot
  • From NebulonB, flash Falcon’s ROM:
    (may require to disconnect/reconnect Falcon and even to reboot to get connection again)

    sudo heimdall flash --RECOVERY recovery.img --no-reboot
  • Monitor blue transfer bar that appears on Falcon, showing the recovery software being transferred (takes 5s or so)
  • Disconnect Falcon
  • Manually reboot Falcon into recovery mode (normal reboot will result on custom recovery being overwritten by stock recovery, which will require a new install)
  • Reboot Falcon and accept to install root when asked by TWRP recovery

Backup Falcon using TWRP (or, alternatively, adb root shell)

  • Boot Falcon in TWRP recovery mode
  • Backup Falcon (default checkboxes + EFS and Modem) to sdcard
  • Copy the backup file on NebulonB

Alternatively, you also may use a root shell to backup and restore Falcon:

  • EFS (IMEI number)
  • modems (broadband version, wireless device MAC address, product code, system ID and NV data)
  • pit file (partition table)


Install Cyanogenmod 6.0 on Falcon

NB: Cyanogenmod ROM codename for Galaxy S5 is "klte"

  • On NebulonB, get cm-13.0 nightly zip from
  • Put zip on sdcard, from NebulonB (SDcart reader or cable) (or using adb push on external /storage/)
  • Boot in TWRP recovery mode
  • Wipe (factory reset, i.e. data, cache, dalvik)
  • install zip from sdcard
  • reboot

NB: Seeing your files require to select "MTP" (even if already selected…) in Developer menu / Select USB configuration.


Enable Developer options & configure root on Falcon

On Falcon:

  • Enable Developer options: Go to Settings> About phone> Tap seven times on Build number.
  • Go back to Settings main menu and open Developer options from there.
  • Look for Root access setting, and set it as you need


Encrypt Falcon

Today (2015-01-04), CM seems to have an encryption problem that we need to take care of:

  • Unencrypted systems have a block device (say /dev/block/mmcblk0p26) where /data and /sdcard are ext4 filesystems
  • On encrypted systems, /dev/block/mmcblk0p26 is an encryption container and /data and /sdcard are mounted on /dev/block/dm-0.
    However, there is not enough left space on block device which should be 16KiB smaller than the partition to host the partition itself.

To fix this:

  • Boot Falcon in TWRP recovery mode and connect it to NebulonB
  • From NebulonB, login as root and list mounted partitions

    adb root
    adb shell
  • Find the block device that hosts /data and /sdcard (in my case /dev/block/mmcblk0p26), then umount /data, /sdcard and
    use tune2fs to retrieve "Block count":

    umount /data
    umount /sdcard
    tune2fs -l /dev/block/mmcblk0p26

    (mine was 3106039)

  • Check/fix ext4 filesystem (required by resize2fs), then resize it by substracting 8 to the Block count
    (in my case, the result is 3106031), then recheck/fix it one last time (may find/fix a minor error in fs)

    e2fsck -f -p /dev/block/mmcblk0p26
    resize2fs /dev/block/mmcblk0p26 3106031
    e2fsck -f -p /dev/block/mmcblk0p26
  • Reboot Falcon
  • Set Lockscreen Password (will be used for encryption) and enter a password P1 (a serious one, not a PIN code)
  • Go to Security and Encrypt Phone (takes less than 5 min)
  • Change the lockscreen password to P2, a more practical one (and remember P1, it is still the one that will decrypt your data at boot)

NB: To change P1, consider (I haven’t checked) using:

vdc cryptfs changepw pin/password/etc oldpassword newpassword


Get mobile apps for Falcon

Get app stores

F-Droid (free/libre opensource software store)

  • Download the .apk file from and put it on the external sdcard
  • On device, using file manager, click to install

OpenGapps (alternative to Google Play for Google Apps – untested yet)

  • On, get 6.0 nano (+ test pico) versions
  • Put zips on sdcard then reboot device in recovery mode, install relevant zip and reboot


Get favourite apps

For instance,

  • From F-Droid:
    • DAV Droid (synchronizer for agenda and contacts)
    • Document Viewer (to view pdfs for instance)
    • OrBot and OrWeb (TOR encrypted communications)
    • OsmAnd~ (openstreetmap: includes offline maps, GPS directions)
    • Owncloud client
    • Twidere (twitter client)
    • VLC (video player)
  • From opengapps (untested)
  • You may also get somme Google apps without store (nor update) on

SMS backup & restore


  • From NebulonB connected to Falcon:

    adb root
    adb shell
    cd /data/user/0/
    cp mmssms.db mmssms.db_backup
    adb pull /data/user/0/


  • From NebulonB connected to Falcon:

    adb push mmssms-backup.db /data/user/0/
  • Reboot Falcon

Synchronize agenda & contacts between Falcon and NebulonB using owncloud and DAV Droid


Our objective is to have agenda and contacts in open formats (CalDAV for the agenda, CardDAV for contacts), accessible and synchronized between NebulonB and Falcon.

The architecture is as follows:

  • NebulonB hosts a local apache / owncloud server
  • On NebulonB, the agenda and contacts can be accessed
  • Using a web browser connecting to localhost
  • Using the Lightning calendar extension of Mozilla Thunderbird, once synchronized with owncloud
  • On Falcon, the agenda and contacts
  • Are synchronized with NebulonB using DAV Droid
  • Are accessible in the native Cyanogenmod calendar and contact apps
  • Communications are secured via https encryption, using a self-signed certificate

Get an SSL certificate on NebulonB (future Apache server)

To secure communications with SSL, you may get a certificate on Let’s encrypt or generate your own.

  • To generate an x509 certificate (4096 bit, valid for 10 years) called my_cerficate.crt, with key in my_cerficate.key
    (NB: when prompted for Common name during interactive generation, enter the IP address of the server hosting the certificate):

    openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout my_cerficate.key -out my_cerficate.crt
  • Move certificate and key in Apache configuration tree:

    move my_cerficate.crt /usr/local/apache2/conf/ssl.crt/server.crt
    move my_cerficate.key /usr/local/apache2/conf/ssl.key/server.key

Install and secure Apache/PHP/MySQL and Owncloud on NebulonB


On NebulonB’s owncloud, create user Han and upload his existing agenda and contacts (if any)

Install SSL certificate on Falcon

  • Copy my_cerficate.crt from NebulonB to Falcon’s SDcard
  • In Falcon’s Parameters/Security, import certificate from SDcard (should be visible as a user cerficate)
  • NB: a warning message will probably popup if the certificate is self-signed but no worries

Install and configure DAV Droid on Falcon

Configure DAV Droid and, using Han’s owncloud login and password:



Thanks to

  • @hugoroyd, for @FSFE references on Free Android and warranty loss
  • @klorydryk, for advice on CalDAV and CardDAV
  • @jerezim, for the “It takes two hours to install Cyanogenmod on your mobile” challenge
  • @sfermigier, for showing me markdown