GrapheneOS

Since 6th/7th/8th generation Pixels have moved to the Linux 6.1 LTS branch with Android 15 QPR2 from 5.10 (6th/7th gen) and 5.15 (8th gen), we've closed issues filed about kernel crashes for those devices. Many kernel bugs will be gone and any remaining ones need updated reports.

GrapheneOS adds user-facing system crash reporting to make up for us not having automated crash reporting for privacy reasons. Any hardware lockup or hard reset is called a kernel crash, including holding power, so most aren't useful since they just show a hardware lockup/reset.

We report some forms of system crashes by default including memory corruption detected by hardware memory tagging in both the kernel and userspace. Full reporting can be enabled in Settings > Security & privacy > More security & privacy > Notify about system process crashes.

We don't have it fully enabled by default because we'd get a flood of reports about hardware lockups/resets while devices are asleep and not being used, etc. Rest are near entirely upstream bugs and we can't fix all of them. We focus on the ones detected by our security features.

For our next release after 2025030800, we've added support for the Android 15 QPR2 Terminal for running other operating systems using hardware virtualization. It's currently only a terminal but Android is adding support for graphics and GPU acceleration for a future release.

Android has a greatly overhauled desktop mode on the way to replace the current primitive proof of concept in developer options. 6th gen Pixels added hardware-based virtualization support and 8th gen Pixels added USB-C DisplayPort alternate mode. It will all come together soon.

Overhauled desktop mode is already partially shipped as a disabled-by-default feature. Android enables some of it for the Pixel Tablet already but not Pixel phones. We plan to enable the same feature flags for phones too. Either way, it's an experimental developer option for now.

Beyond using a phone or tablet as a desktop by connecting a display, keyboard, mouse, etc. to the USB-C port, we want to eventually have support for GrapheneOS on laptops. There's currently no laptop close to meeting the hardware requirements we cover at https://grapheneos.org/faq#future-devices.

On Pixels, virtualization implemented based on pKVM (see https://source.android.com/docs/core/virtualization/security for how it's different from KVM) and CrosVM from extended with Android specific code. CrosVM is written in Rust so it fits in well with Android using Rust for new or rewritten low-level components.

This release adds support for the experimental virtual machine management app introduced in Android 15 QPR2. It currently only provides support for managing a single VM and interacting with it via a WebView-based terminal. Android is in the process of adding support for graphics and GPU acceleration for a future release. For now, it's only available in developer options due to being highly experimental. We don't recommend using developer options on a production device, but you can temporarily enable it to turn on this feature and turn them back off without it being disabled like most developer options. The data inside it should currently be treated as disposable rather than relying on it not losing it from a bug or a backwards incompatible update. We plan to support choosing other guest operating systems beyond the Debian-based image provided by Android along with taking far more advantage of the virtualization infrastructure.

Tags:

• 2025030900 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025030800 release:

• SystemUI: re-enable migrate_clocks_to_blueprint and communal_hub flags with workarounds for upstream issues when using standard AOSP UI components instead of Pixel OS components
• Android Debug Bridge: fix upstream crash caused by a race condition that sometimes unregistered a closed file descriptor from epoll
• Sandboxed Google Play compatibility layer: fix issue breaking RPC transactions which impacts the Terminal app
• Sandboxed Google Play compatibility layer: add implementation of isGoogleLocationAccuracyEnabled() to the location rerouting implementation always returning true to fix compatibility with apps checking for it
• Sandboxed Google Play compatibility layer: fix definition of IStatusCallback.onCompletion() to slightly improve performance
• allow Terminal app to use WebView JIT since it requires WebAssembly
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.80

Changes in version 134.0.6998.95.0:

• update to Chromium 134.0.6998.95

A full list of changes from the previous release (version 134.0.6998.39.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Our 2025030900 release currently in the Beta channel is the first one with support for managing hardware-based virtual machines via the Terminal app in Android 15 QPR2. Since then, we've backported massive improvements to the feature for an upcoming new release, maybe even today.

Backports include terminal tabs, GUI support with opt-in GPU hardware acceleration (ANGLE-based VirGL until GPU virtualization support is available), speaker/microphone support and fixes for a bunch of bugs including overly aggressive timeouts. We're working on VPN compatibility.

At the moment, the Terminal app isn't compatible with having a VPN in the Owner user. It only works if VPN lockdown (leak blocking) is disabled and the VPN allows local traffic to pass through. It's also not clear how it SHOULD interact with a VPN since VPNs are profile-specific.

As a preview of what's going to be possible in the upcoming release of GrapheneOS, here's a screenshot from a Pixel Tablet running desktop Chrome in a virtual machine with basic GPU acceleration via ANGLE on the host. The infrastructure is a lot more robust than the Terminal app.

Our next release also enables running the Terminal app in secondary users. There's still the temporary limitation of only being able to use a single VM on the device at a time because the dedicated internal network interface it uses for the Terminal app isn't split up at all yet.

GUI VM support will have 2 main use cases:

1. Running a specific app or an entire profile via GrapheneOS virtual machines seamlessly integrated into the OS.
2. Running Windows or desktop Linux applications with desktop mode + USB-C DisplayPort alt mode on the Pixel 8 and later.

This virtual machine management app (Terminal) will be handling the 2nd case. It's essentially already available in a very primitive way. We expect this to become much more usable and robust entirely from the upstream Android work on the virtual machine and desktop mode features.

Notable changes in version 83:

• improve layout on very tall screens

A full list of changes from the previous release (version 82) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Workaround for very rare fingerprint firmware glitch with Android 15 QPR2:

https://discuss.grapheneos.org/d/20636-workaround-for-very-rare-fingerprint-firmware-glitch-with-android-15-qpr2

This applies to the stock Pixel OS, GrapheneOS or another OS based on Android 15 QPR2 running on Pixel devices with the OS providing the latest firmware released this month.

This issue appears to be specific to the non-Pro Pixel 9. We have no reports of it happening on any other device models. We're continuing to look into it. Perhaps we can find a workaround for it before there's a patch for the stock OS / AOSP such as retrying connecting to it.

For some reason my phone isn't letting me switch to other profiles. The button "switch to 'profile name' " is grayed put completely. I have tried restarting and still no dice. Running on a google pixel 8.

Any help is appreciated and thank you for your time.

EDIT: I was able to get it figured out. I was posting on behalf of my wife, I guess she disabled the profile somehow accidentally 😂

Basically no sellers I’ve seen whether their Pixels can have their boot loader unlocked. So how did you get yours and how can I avoid getting a lemon?

How do you get apps and updates?

I get apps from Aurora and Obtanium (github, fdroid etc). I'll download the odd app from Play store where it won't work otherwise.

I have Aurora and Obtanium set up to do automatic updates. Play store is set to manual.

My concern is primarily that I am relying on Aurora when that could be a risk. I think I read somewhere that the GrapheneOS team prefer Play store to Aurora - something to do with its anonymous logins.

Are there any other risks?

So far, the only release blocking regression reported for our port to Android 15 QPR2 is the main user interface for setting the wallpaper not loading. This has blocked it reaching the Beta and Stable channels but we'll get it quickly resolved and another release pushed out.

Android 15 QPR2 added initial support for running other operating systems with the existing hardware-based virtualization support. It will be getting graphical support with acceleration upstream. It will be very useful for desktop support, especially if we add Windows 11 support.

The new virtualization feature isn't supported in our initial release because we need to set it up and make it compatible with our hardening features. It's not part of the initial porting process but will be a very high priority once that's done, and then we'll be extending it.

The desktop mode that's available in developer options is a legacy proof of concept. There's a new far better desktop mode gated behind feature flags that's far better. DisplayPort alternate mode on Pixel 8 and later + hardware virtualization will be getting much more useful.

We'll also be using virtualization for running a nested variant of GrapheneOS for improved sandboxing beyond what the Linux kernel can provide even with substantial hardening and attack surface reduction. It will play a much bigger role than the current niche microdroid usage.

Notable changes in version 82:

• downgrade CameraX to 1.5.0-alpha04 since both 1.5.0-alpha05 and 1.5.0-alpha06 crash when using Night mode on Android 15 QPR2 released this month for Pixels
• extend workaround to avoid video recording crash on a small subset of low-end devices caused by the OS wrapping the capture button drawable inside of another type we didn't request which leads to an invalid cast exception when animating it to start video recording
• update AndroidX ConstraintLayout library to 2.2.1
• update Android Gradle plugin to 8.8.2

A full list of changes from the previous release (version 81) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Tags:

• 2025030700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025030500 release:

• Wallpaper Picker: backport upstream fix for an Android 15 QPR2 bug causing the UI for picking the wallpaper to be blank
• fix upstream system_server crash introduced in Android 15 QPR2 related to Bluetooth telephony integration
• backport upstream fixes for 13 different system_server null pointer exception crashes, an array out of bounds system_server exception and an NFC resolver activity null pointer exception
• backport upstream fix for voice volume adjustments in certain apps
• adevtool (Pixel Tablet): remove unintentional deviation from standard memory pinning configuration
• adevtool: remove unnecessary PersistentBackgroundServices app
• adevtool: filter out config_pluginAllowlist SystemUI overlay to avoid breaking the clock layout by referring to non-AOSP SystemUI clocks
• Sandboxed Google Play compatibility layer: fix Google Play Services for AR not being installable from the Play Store anymore
• Sandboxed Google Play compatibility layer: fix development option for installing the Pixel Thermometer (Pixel Health) app
• add inet group for vmnic (virtual machine networking functionality) to make it compatible with our group-based Network permission enforcement used as another layer of security
• Camera: update to version 82

Notable changes in version 30:

• work around regression in version 29 for release builds caused by removing necessary R8 rules

A full list of changes from the previous release (version 29) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Our network location implementation's 3D trilateration is using far too much CPU so we're going to temporarily downgrade back to 2D until we heavily optimize it. We'll make an efficient Rust implementation to replace the initial Kotlin code and we'll see how fast we can make it.

3D is useful to take advantage of Apple's network location data having altitudes for a lot of networks. It helps a lot with estimating a position around buildings with more than a couple floors. Upgrading it to 3D helped a lot with some downtown areas but it's much too slow now.

This is an early March security update release based on the March 2025 security patch backports since the quarterly Android Open Source Project and stock Pixel OS release (Android 15 QPR2) scheduled for this month hasn't been published yet.

Tags:

• 2025030300 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025030200 release:

• full 2025-03-01 security patch level
• Network Location: temporarily disable using altitude in trilateration for now because 3D trilateration is using an excessive amount of CPU time and we need to greatly optimize it with algorithm level improvements, porting it to Rust and other optimizations before we can use 3D
• App Store: update to version 29
• App Store: update to version 30

Since this month's release of Android isn't available yet, we're currently building/testing an early March security update release providing the Android Security Bulletin backports of High/Critical severity patches. Android 15 QPR2 will be available in the near future though.

March security bulletin lists 2 vulnerabilities as actively exploited in the wild:

https://source.android.com/docs/security/bulletin/2025-03-01

CVE-2024-43093 patch was in Android 15 QPR1 released in December. It's just being backported now.

CVE-2024-50302 doesn't impact GrapheneOS due to our exploit protections.

Android Security Bulletins are very commonly misinterpreted as being Android's monthly security patches. They're actually backports of most High and Critical severity patches to older releases of Android: 12, 12L, 13, 14 and 15. Yes, Android 15 is an older release of Android.

CVE-2024-50302 is one of 3 vulnerabilities which Amnesty International recently found being exploited by Cellebrite. This one was fully eliminated as a bug in GrapheneOS through zeroing. Separately from that, our USB-C port control blocked reaching any of the 3 bugs while locked.

For more details on the 3 Linux kernel USB bugs exploited by Cellebrite, see our thread at https://grapheneos.social/@GrapheneOS/114081753914226921. GrapheneOS blocked reaching all 3 while locked at both a hardware and software level, eliminated one and made the other 2 much harder to exploit even when unlocked.

They included one in the February security bulletin, another this month and still need to add CVE-2024-53197. We patched all 3 earlier via the kernel.org LTS revisions. Our exploit protections blocking exploiting them prior to patching is the far bigger difference.

March security bulletin lists 9 Critical severity Bluetooth vulnerabilities caused by use-after-free bugs. Our hardened_malloc project provides strong protections against exploiting these, especially on Pixel 8 and later where it has very good hardware memory tagging integration.

When a memory allocation of 128kiB or below is freed on GrapheneOS, memory tagging gives it a dedicated tag detecting any invalid access. It goes through a random quarantine and first-in-first-out quarantine before reuse. First reuse is guaranteed to use a different random tag.

Memory tagging also zeroes the allocation. On devices without it, we still zero it at free time and then check for the zeroing at allocation time to detect write-after-free and guarantee that fresh allocations are zeroed. With memory tagging, it detects the invalid accesses.

After a memory allocation is freed, goes through both quarantines, is allocated again, freed again, goes through both quarantines and is allocated again there's still a 14/15 chance for the random tag to detect an invalid memory access. Attackers also usually need to chain bugs.

GrapheneOS users have been regularly finding obscure Bluetooth memory corruption bugs with specific accessories. We generate user-facing notifications for MTE detecting invalid accesses for users to report to us and app devs. We can likely close several more of those issues now.

We've actually had these Critical severity Bluetooth patches backported for a month already:

https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commits/69d9332c8d7097ecece3b94bcd506739e4e5a54b/

Good news is that we've already had those patches for a month. Bad news is it's not the reason for the remaining issues being caught by MTE, will need more work.

"Fix UAF in sdp_discovery.cc" patch was included upstream previously, it's just a backport. The others we applied ourselves last month. They weren't listed in the bulletin or included in the monthly update but they were published and they did fix some issues we'd caught with MTE.

The stable release of Android 15 QPR2 is coming out today. Since around the same time last year with Android 14 QPR2, quarterly releases have been trunk-based which means they ship the development branch changes. It's a large release similar to a yearly release under the hood.

We did some work to prepare for the quarterly release and we'll be hard at work porting to it. We made an early March security release with the Android Security Bulletin patches yesterday. The full Pixel 2025-03-05 patch level requires Android 15 QPR2 so it's a high priority.

Android Security Bulletins are the subset of the Android security patches backported to older releases (12, 12L, 13, 14, 15). Those don't include Moderate or Low severity patches and only cover a small subset of hardware-related patches. The full patches require more than that.

We regularly use the ASB backports to make an early security update prior to the stock Pixel OS and Android Open Source Project monthly, quarterly or yearly release being published. We're currently waiting for the AOSP quarterly release to be pushed, hopefully within a few hours.

Ideally, we'd have early access to the monthly, quarterly and yearly release to get the porting and testing done early. Instead, we need to make an enormous effort to quickly port everything and work through any issues to get quarterly and yearly releases out in a couple days.

Most Android OEMs have early access as Google partners. Google's security team wanted to get us partner access but their business team vetoed it and has unreasonable, essentially unobtainable requirements for getting it. We need an OEM to work with us and it would help us a lot.

There's an app in trying to use, BP pulse, it keeps telling me I need to enable location services and it won't work without it. The thing is that my phone (8 Pro) already has location services switched on, and assigned to this app at the fine detail level. I assume the app is looking for something else but I don't know what.

How do I go about an investigation?

Thanks!

Mint has a really good deal on Pixels now. They say that their phone auto- unlocks after 60 days. Anybody have experience with those? Is the bootloader locked? If so, does it unlock after 60 days?

My current phone (iPhone 13 mini) is telling me to retire it, and I want to get into Graphene. I really dislike that my phone sometimes will just hang while I’m swipe typing and don’t want to buy a new one that has these latency issues. I also don’t want to spend a ton of money.

I was looking at the Pixel 8a which is being sold for $500. Anyone else use it with Graphene? Do you use a swipe keyboard? Any responsiveness issues?

What about storage? Coming from Apple, I can see my current phone using about 64GB with OS + apps. Anyone recently made the transition and can tell me if I can expect this number to grow or shrink?

Thanks a bunch!

Hi, I am planning to get my first wireless/BT headphones for my phone. But since GrapheneOS has always had minor bugs, I wanted to ask how reliable listening to bt speakers has been for you?

Hi,
is it possible to have instagram push notification without G Play Services? Could be unifiedpush useful here?

Thanks.