I bought a new phone. After my experiences with signal and the helpful comments readers gave regarding the ability to run android and signal without Google Play using microg I thought I would give it a shot.

Since microg reports that signature spoofing is required and comes out-of-the-box with omnirom I thought I'd aim for installing omnirom's version of Android 6 (marshmallow) after years of using cyanomgenmod's version of Android.

The Nexus line of phones seemed well-supported by omnirom in particular (and the alternative ROM community in general) so I bought a Nexus 5x.

I carefully followed the directions for installing omnirom however when it came time to boot into omnirom, I just got the boot sequence animation over and over again.

Frustrated, I decided to go back to cyanogenmod and see if I could use one of the microg recommended methods for getting signature spoofing to work. The easiest seemed to be Needle by moosd but alas no such luck with Marshmallow. Someone else forked the code and might fix it one day. I then spent too much time trying to understand what xposed is before I gave up understanding it and just tried to install it (woops, looks like the installer page is out of date so instead I followed sketchy instructions from a forum thread). Well, to make a long story short it resulted in a boot loop.

So, I decided to return to omnirom. After reading some vague references to omnirom and supersu, I decided to flash both of them together and voila, it worked!

Next, I decided to enable full disk encryption. Not so fast. After clicking through the screens and hitting the final confirmation, my phone rebooted and spent the next 5 hours showing me the omnirom boot animation. Somehow, powering down and starting again resulted in a working machine, but no disk encryption.

After much web searching, guessing and trial and error, I fixed the problem by clicking on the SuperSU option to "Full unroot" the device (I pressed "no" when prompted to attempt to restore stock image). Then I rebooted and followed the directions to encrypt the device. And it worked! Hooray!

I had to reboot and re-flash the supersu to regain su privileges.

All was great.

The first root action I decided to take was to install the cryptfs program from f-droid because using the same password to decrypt your device as you use to unlock the screen seems either tedious or insecure.

That process didn't work so well. I got a message saying: use this command from a root shell before you reboot: vdc cryptfs changepw <password>. I followed the advice, carefully typing in my 12 character password which includes numbers and letters.

Then, I happily did what I expected to be my last reboot when, to my horror, I was prompted to decrypt my disk with ... a numeric-only keypad.

That wasn't going to work. At this point I had already spent 5 days and about 8 hours on this project. Sigh. So, I started over.

Guess what? It only took me 25 minutes but, it seems that cryptfs is broken. Even with a numeric password it fails. Ok, I guess I need a long pin to unlock my phone. This time it only took my 15 minutes to wipe and re-install everything.

There are only two positive things I can think of:

  • TWRP, which provides the recovery image, is really great. Everytime something went wrong I booted into the TWRP recovery image and could fix anything.
  • I'm starting to get used to the error on startup warning me that "Your device is corrupt. It can't be trusted and may not work properly." It's a good thing to remember about all digital devices.

p.s. I haven't even tried to install microg yet... which was the whole point.

Try SnooperStopper to change the encryption password. It works fine for me on CyanogenMod 13.
Comment by Anonymous Thu 01 Sep 2016 01:31:38 AM EDT
For what it's worth, I run microG on Cyanogenmod. ~~ baloo@ursamundi.org
Comment by Anonymous Thu 01 Sep 2016 06:20:05 AM EDT

Personally, I use CyanogenMod 13 (not on a Nexus device, though) with full-disk encryption (although not hardware-backed), using a somewhat long password (not PIN) which is also used for screen locking. Regarding microG, I enabled signature spoofing by patching and rebuilding CyanogenMod, it seems cleaner than messing with Xposed and such…

Comment by Anonymous Fri 02 Sep 2016 07:24:47 AM EDT

The vdc command is wrong, it should be sth like vdc cryptfs changepw password <password>. Not sure what actually happened with your command, but you can guess that the password arg is required as else the system can't know if a password should be presented with numpad or password (or swipe-code) entry. For more surprise, the exact command changed in Android 6.0, it was vdc cryptfs changepw password <password in hex> before. Took me quite some time after I upgraded, but atleast I was still able to use the phone.

Regarding root/SuperSU: omnirom is focussing on openness, privacy and security. Most root solutions for Android are known to be vulnerable to some attacks, the only exception being SuperSU, which is not open-source (afaik). Thus none of the existing root solutions was usable for omnirom and as such it is not included. I did not install SuperSU or any other root solution on my phone and it worked out rather good. There are only very few commands I sometimes use that require root permissions (password changing for example) and I can happily use them over the ADB tool from my pc. You need to call adb root to gain root privileges on omnirom devices, this is to restart adbd (the corresponding on-device daemon) with higher permissions. You should reboot afterwards to put it into low-permission mode again for security reasons.

Comment by Anonymous Wed 14 Sep 2016 03:04:41 PM EDT

hi jamie!

you may be interested in my own experiments with those very issues. i have documented my work on a specific phone (the HTC One S "ville") in my own wiki. it's kind of too bad this information is spread all over the place like this, but I felt I just wanted to jot down notes as I went along, because I consistently had to start from scratch over and over again, and always forgot how. the notes are really a bit of a mess, but I hope they can be useful for you...

I am currently using this phone without any google proprietary apps, at least as much as possible: CM itself ships a few proprietary drivers for sensors and the camera, but that's all I have on there (apart from the proprietary baseband of course).

I have tried running LibreSignal (the non-websocket rebuild available on an f-droid repository) and it seems to work, although I need to test everything again.

It's really an amazing pain in the ass, to be honest. It's surprising how bad the state of affairs is, and how allies (like Moxie) seem to be working against the free software movement by forcing stuff like Google Play down people's throat. A really bad situation that reminds me of the early days of the free software wars on the desktop more than anything...

-- anarcat

Comment by Anonymous Sat 24 Sep 2016 06:01:24 PM EDT