CalyxOS (is coming to) is here for FP4!

Apparently, the makers of CalyxOS have decided to offer a port for the Fairphone 4. So another privacy-oriented OS is coming for the Fairphone :slight_smile: And it’s apparently based on Android 12, if I understand correctly:
https://calyxos.org/news/2022/02/25/device-support/

22 Likes

I had a look to CalyxOS today and have a few questions now:

In comparission to iodéOS:


Default DNS server: Google’s DNS replaced by Quad9’s ‘unblocked’ servers.

Found nothing on CalyxOS website: only “Cloudflare DNS is available as a Private DNS provider.”

A-GPS: supl.google.com replaced by supl.vodafone.com.

Found nothing on CalyxOS website

Captive portal login: connectivitycheck.gstatic.com replaced by captiveportal.kuketz.de for connectivity check

Found nothing on CalyxOS website

Dialer: Google default option replaced by OpenStreetMap for phone number lookup

CalyxOS has an own dialer App. No Info if it is AOSP or Lineage Dialer based

NTP: time.android.com replaced by pool.ntp.org

Found nothing on CalyxOS website

Open-source implementation of Google Play Services : microG with Mapbox, GCM notifications by default,  DéjàVu pre-selected and Nominatim Geocoder

Same as in CalyxOS. But less or more locations- an gocoding services


  • For me, iodé fits more my requirements.
  • The preinstalled apps fits more my needs. (Moreover, the preinstalled apps can be easily removed in an app.)
  • iodé on FP4 can re-lock the bootloader, what means that it is supported for verified boot. Only verified images and OTAs can be installed. (is often criticized, but with the FP4 this has been disproved.)
  • blocker app integrated

The only negative point I see about iodé is the fact that the iodé app (blocker) is not open source. (But this should also be done in 2022).

I see the CalyxOS as comparable to iodéOS. But not better or more secure.
Ultimately, it is up to the user to decide what he likes better and what he chooses.

the CalyxOS is really not bad. But when I look at the details and take my time and think about it, I come to the conclusion that I will not install it.
Too many details that I do not like. Especially the preinstalled apps, the integration of Signal into the system, DuckDuckGo as the default browser and finally the dialer do not appeal to me.

2 Likes

You just need to look closer :smirk:

4 Likes

google DNS
google A-GPS
google captive portal
google NTP
:frowning:
all this is not so optimal
I would normally expect this info to be transparently displayed on the website and not in any git issues.
Especially with a security conscious OS.

That’s why I find this discussion rather impertinent. Especially the last answer from tommytran732
They are sitting on a pretty high horse

https://github.com/privacyguides/privacyguides.org/discussions/616

I can also be wrong. But many so-called and especially self-proclaimed security experts have their entrenched opinion and they are paranoid all the time

My opinion which I have meanwhile to the whole topic:
You must not let yourself go crazy, you have to look at everything carefully and evaluate it for yourself and not believe everything that is propagated on the Internet. :wink:

To each their own I guess. I don’t have a horse in this race, haven’t had a detailed look at Calyx before today.
Personally I prefer it to be open source first, perfect on the privacy front second, but that’s just a matter of priorities :man_shrugging:

I’ll have to disagree on the self-proclaimed part here (and acknowledge my bias at the same time). SkewedZeppelin’s DivestOS has kept my Nexus 4 up to date (and reasonable secure) for quite some time, while others have jumped ship long before. While I don’t completely agree with the hardcore security stance, I have no doubt in their technical expertise.

2 Likes

SkewedZeppelin’s professional expertise is most certainly not to be denied. Defacto!
But this is offset by his unwillingness to compromise.
Either or. Black or white.
But there are many shades of gray in between. And many move quite consciously in the shades of gray. Most of us.

1 Like

Hasn’t this always been the case in FOSS, I mean look at Stallman.

I just like to let the purists do their thing and if they produce something I like, I’ll use it. Otherwise I’m not getting involved in their infighting. There are only so many hours in a day, I have better (happier) things to do than argue over whose project is really true (to use metal :metal: terminology :smirk: ).

7 Likes

question to the ones, using calyxOS:

Is the Dature Firewall a VPN based one, like netguard, TrackerControl, etc…? Or a system app, that another VPN is in parallel usable?

The screenshots suggest a VPN running…

grafik

As the promise that you can use a VPN, I guess it is not VPN-based.


Additionally, have a look here:
https://calyxos.org/docs/tech/datura-details/

1 Like

On devices with Linux kernel versions higher than 4.9, the bandwidth restrictions make use of eBPF

Nice, so it’s a proper (modern) system-level firewall :metal::smiley:

1 Like

@AlphaElwedritsch

re: gps

$ host supl.vodafone.com
supl.vodafone.com is an alias for supl.google.com.
supl.google.com has address 64.233.177.192
supl.google.com has IPv6 address 2607:f8b0:4002:c02::c0

iodeOS only included the no IMEI to SUPL patch after I prodded them in 2020/11:

Also related:

https://gitlab.com/CalyxOS/calyxos/-/issues/618
https://github.com/GrapheneOS/platform_frameworks_base/pull/111

And no ROM besides DivestOS has yet to disable A-GPS MSA afaik.

https://en.wikipedia.org/wiki/A-GPS#Modes_of_operation
https://gitlab.com/divested-mobile/divestos-build/-/blob/master/Scripts/Common/Functions.sh#L453-454

re: dialer
That is a Lineage feature afair and it is default disabled since 2018.

https://review.lineageos.org/q/gdpr

re: ntp
The proper endpoint should be 2.android.pool.ntp.org, as it supports IPv6 and has the correct vendor prefix.
Per their site:

Do not use the standard pool.ntp.org names as a default configuration in your system.

re: captive portal
So instead of blending in with every single other Android device for captive portal checks, you both disclose your IP to a third party (granted a reputable one) and also disclose to any adversary on your local network that you are not running “normal” software.
DivestOS instead leaves the default, but adds an option in Settings app to disable.

2 Likes

First test build…based in A12L

4 Likes

Yes, seen it and jumped out of bed just to remember that I have no time to test it over the weekend.

2 Likes

I, for my self, have decided not to test it for the time being. i am more than satisfied with my iodé

I’ll wait and see :wink:
There are still too many bugs in the A12 and the optics of A12 is also not mine

However, I’ll download it and analyze their installation process.
In the test builds, the installation must be done manually. The installer is not available yet.
The bootloader has to be locked manually with fastboot.
I’m curious to see how many will use it to brick their FP4…
But will also show new findings whether the Re-Lock problem on the FP4 also shows with calyxOS further. As with the other custom ROMs

  • Installation went fine, nothing to report there
  • No immediate problems, will have to check all my apps first
  • The A12 UI is ginormous, but I kinda like it, setting a grey background will tone the whole UI to a nice monochrome color scheme :+1:
  • Didn’t lock the bootloader, obviously :smirk:

I’m liking the experience so far :smiley:

7 Likes

Interesting that it works without locking the bootloader.

Have you had a look into the flashing script? After about 50 posts scattered over 12 threads regarding FP4 not booting anymore, I lost track. But it seems to me that you have understood it. Is the script doing the correct things to not do any harm to the phone?

A script can AFAIK never lock your bootloader (it can just trigger it). You imho always have to agree on the screen of the FP4.

4 Likes

None of the available custom ROMs (or the factory images for that matter) have code in their install scripts to lock the bootloader. They could, but you’d always have to press a button on the device to confirm it, as @Volker said.
You wouldn’t want that functionality in your script anyway, way to many possibilities for things to go sideways… (as we all have witnessed :see_no_evil:)

Locking the bootloader isn’t a requirement to run Calyx, it’s an additional feature.

I’m going to install Magisk next, so I have no intention of locking my bootloader.
My reasoning for running Calyx is easy access to microG preinstalled, a nice built in firewall (haven’t played with it much), almost no preinstalled apps (compared to /e/) and access to the newest Android release (I like my distributions rolling :smirk:).

2 Likes

Interesting, I thought for CalyxOS it was a requirement. If I were going to install it and if I wanted to relock, what would be the steps to not brick the device?

The installation instructions say

Re-lock the bootloader using fastboot flashing lock

Is that correct for the FP4? Would I have to lock critical, unlock critical before or do some other magic?

The install instructions don’t mention fastboot flashing unlock_critical, but I had them unlocked already, so I can’t say.

That is correct. Those commands are the same for every ROM.

I can’t tell you. Maybe fastboot flash avb_custom_key avb_custom_key.img as iode and Calyx have started using makes this less likely.
I for one am waiting for Fairphone to investigate all the bricked devices with vanilla FPOS first, not gonna touch locking the bootloader before there is some clarification.

Edit: From what I can tell, compared to the factory install script, Calyx are flashing some of the partitions through sideloading in fastbootd maybe that makes unlocking critical partitions not necessary.
But someone else will have to try, I already installed Calyx several times (to look for errors) and I’m not going to touch fastboot flashing lock_critical either, any command involving fastboot and “lock” doesn’t feel right :smirk:

3 Likes