GrapheneOS Installation Guide: (De-Google Pixel, Apps, Step-by-Step)


De-googling your phone means removing all the apps, connections, server call-backs, and integrations with the Google ecosystem.

This is most easily done, ironically, with a semi-recent Google Pixel phone.

GrapheneOS is recommended over LineageOS for its “verified boot” — but LineageOS is still a great option and is compatible with a much larger range of older Android phones.

GrapheneOS supports only a few of the recent Pixels: essentially the 3a and up are actively updated, while the 3 has a legacy version and previous models are no longer updated as of 2022.

For the official install instructions, go to grapheneos.org/install. There is even a web installer which makes a lot of the install relatively hands-off.

For this example, I will show you how to install GrapheneOS on your Pixel (3a to 6 and above) using a Linux computer and some small software tools.

Requirements

  • A computer running Linux , either a dedicated host or running on a LiveUSB. The host install (Linux installed as the operating system) is best. Do not use a Linux virtual machine for this purpose. If you have a Windows or Mac machine, don’t worry, there is a web installer. More details below.
  • A cord to connect your device to your computer.
  • An Internet connection.
  • A new or used unlocked pixel device supported by GrapheneOS. Make sure your files on the device are saved somewhere else and backed up before proceeding.

Prepare the Pixel Before Installing GrapheneOS

Enable Developer options to unlock your phone before installing GrapheneOS.
  • Turn on the Pixel device.
  • Enable developers mode by going to Settings, clicking About phone, tapping Build number at the bottom several times until Developer mode is enabled.
  • Click the back arrow and click System -> Advanced -> Developer Options.
  • Enable OEM Unlocking and confirm. If this option is greyed out, restart your device, re-enable developer options if needed, and try unlocking again. Wait a few minutes. Restart the device and check to see if the OEM Unlocking is accessible again. Sometimes this is tricky but eventually it will work.
  • Power off the device.

First, prepare your computer by installing a few tools.

Open up a Terminal window and type the following, pressing enter after each line, to download and install platform tools:

I included the actual code below but make sure you use two dashes as illustrated above for the last line.
  • sudo apt install libarchive-tools
  • curl -O https://dl.google.com/android/repository/platform-tools_r31.0.3-linux.zip
  • bsdtar xvf platform-tools_r31.0.3-linux.zip
  • export PATH=”$PWD/platform-tools:$PATH”
  • sudo apt install android-sdk-platform-tools-common
  • sudo apt install signify-openbsd
  • fastboot –version

After typing the last command which verifies Fastboot is installed, the display should be of the Fastboot version number currently installed.

Power down your Pixel device.

Next, boot your device into the bootloader interface by holding down the power and volume down buttons simultaneously.

When Fastboot mode menu shows up, connect the device to your computer with the USB cord.

Type the following command in a Terminal window:

fastboot flashing unlock

It should display OKAY after executing.

Press the volume down button on the Pixel device until the Unlock the bootloader is displayed.

Press the power button.

Next, Download and Install the GrapheneOS

For the most up-to-date release, go to grapheneos.org/releases and choose your device from the “Stable Channel” list.

The GrapheneOS files for Pixel 4a as of Jan 25, 2022 on grapheneos.org/releases

Replace the file names below with the most recent version of the file on that list. This is the most recent as of January 25, 2022.

Execute the following, line by line, in a Terminal. The last line will print out a confirmation that the file has integrity and has not been tampered with.

  • curl -O https://releases.grapheneos.org/factory.pub
  • curl -O https://releases.grapheneos.org/sunfish-factory-2022011423.zip
  • curl -O https://releases.grapheneos.org/sunfish-factory-2022011423.zip.sig
  • signify-openbsd -Cqp factory.pub -x sunfish-factory-2022011423.zip.sig && echo verified

Now extract the files and install your new GrapheneOS to your device:

  • bsdtar xvf sunfish-factory-2021081411.zip
  • cd sunfish-factory-2021081411
  • ./flash-all.sh
  • fastboot flashing lock

Now the device will show the option “Do not lock the bootloader”. Press the volume down button until the option “Lock the bootloader” is selected. Press the power button.

Great! Now you may restart your device by pressing the option “Start” or by holding the power button down to shut off the device as usual, disconnect your Pixel device from your computer, then power the device back on.

The splash screen will say there is an error because you are booting into something other than stock Android — that is to be expected. Also do not worry about the momentary Google logo, it does not mean Google Android is still on your phone.

How to Harden GrapheneOS After Installing

Now you are ready to harden a few settings to make your minimal install secure and practical.

Upon the first boot of your shiny new operating system, you’ll want to update some settings. If you have an Ethernet to USB-C adapter, use that to connect your device to the Internet.

Otherwise, press Next until the WiFi screen displays. Connect to WiFi and do the following:

  • Disable location services
  • Assign a secure PIN for your screen lock
  • Add your fingerprint for unlocking your device, if you want
  • Skip the restore options

Now your device is running GrapheneOS, is not sending any of your data back to Google servers, and is not revealing your location to any apps.

Now to tighten a few more things:

  • Disable unlocking and developer tools: Settings -> About phone -> Tap “build number” until “Developer mode” is enabled.
  • Click the back arrow and click System -> Advanced -> Developer options.
  • Disable OEM Unlocking, confirm the choice.
  • Disable Developer options.
  • Reboot your Pixel.

Downloading Apps for GrapheneOS and Keeping it Secure: F-Droid and Aurora Store

Since we are not utilizing Google for anything, Google Play Store is not going to factor into our new setup. Goodbye, centralized corporate gatekeeper!

Instead, let’s use F-Droid and Aurora Store. Most apps we need will be covered by these two app stores.

To download F-Droid, a Free and Open Source Android App Repository:

  • Launch your new browser, Vanadium, and go to f-droid.org.
  • Click “Download F-Droid”. Confirm the download, then open it.
  • If prompted, go to “Settings” and “Allow from source” to give F-Droid permission to install.
  • Click the back button and confirm the installation of F-Droid.
  • Open up the F-Droid app.
  • Swipe down from the top of the screen and install any updates to F-Droid, if applicable.
  • If prompted, repeat the “Allow from source” permissions.
  • Re-open F-Droid

Now you’ve got one alternative to Google Play Store, but this repository is limited to free and open source software applications. For a greater range, if you need it, Aurora store is a great and anonymous client to Google’s Play Store.

But Aurora Store does NOT require Google’s proprietary framework to work. In fact, it can spoof your identity, location, language etc. if you use an Anonymous profile (selected when you install Aurora Store).

  • Use the “updates” option in F-Droid and Aurora store to keep your apps up-to-date. Keep Aurora updated through the F-Droid app.
  • Your GrapheneOS will auto-update and when it does, you generally need to reboot for the updates to take effect.

Secure, Privacy-Respecting Communications Apps in GrapheneOS

Your Pixel device is now superior to any typical stock Android device or iPhone:

  • Your Pixel does not share data with Google
  • You require no account to download apps, therefore an account does not exist to surveil your habits
  • There is no cloud storage embedded in your device to automatically sync your device to third-party servers
  • You have a device that serves YOU and not those who wish to exploit your data, whether personally or in aggregate
  • Since your Pixel does not have core Google services to enable notifications, you may notice the lack of push notification services, location, and mapping. For some this is an inconvenience but for me, it is a benefit of going without Google.
  • Signal App, for example, relies on its own service for push notifications, while other apps for email may not give notifications until you open the app itself.

Signal App on GrapheneOS

Signal App (signal.org) is gaining in popularity as an end-to-end encrypted, secure communications platform.

  • Signal offers E2EE (end-to-end-encryption) for both messages and calls. Encrypted voice calling is amazing! Traditional telephone service providers can intercept any call, but full encryption with Signal means that no one can access your data.

The alternative to the compromised Facebook-owned WhatsApp and other surveillance technocratic offerings, Signal App is great except that it requires your phone number in order to create your account.

This may not seem like a big deal, but your phone number is linked to you and reveals more about you than any other social security number or social credit number ever can.

  • Optional: to prevent the privacy infringement, create a new number or use a Google Voice number (if available in your country). Or better yet, port your old number to Google Voice and then use that ported number. Never reveal the cell phone number that matches your actual device.

So now let’s download and configure Signal on your GrapheneOS Pixel:

  • Download Signal App through Aurora Store.
  • Launch the app, accept the defaults.
  • Enter (a VOIP number, ideally) phone number, confirm the text or call.
  • Enter a name you want to use, the shortest can be one letter.
  • Enter a PIN.
  • Tap the alert about missing Google services. Select “Allow” if you want the app to be running in the background (using battery resources) to receive message notifications. Select “Deny” if saving battery is more important to you and you don’t need message notifications until you open the app itself.

Whenever you want to install a new app for a desired purpose, try the F-Droid store first; they have some good privacy-respecting apps that aren’t available anywhere else.

You could also find and install APK packages directly from apkpure.com if you need to find older releases no longer hosted on the usual app stores.

Windows or Mac: Or If You Want to Use the Web Installer to Install GrapheneOS

If you don’t want to attempt the command line install on Linux, or if you have a Windows or Mac machine, there are many videos showing you how to use the web installer for GrapheneOS.

One such is Install GrapheneOS With Web Installer (Degoogle Your Phone In 10 Minutes), hosted by the wonderful youtube alternative, Odysee.com

Screenshot of the web installer in action.

Recent Posts