GrapheneOS - detailed install instructions

Installing GrapheneOS

Originally published on https://blog.tomaszdunia.pl/grapheneos-eng/

We need

1. A suitable smartphone - in my case, it’s a Google Pixel 9a.
2. A cable to connect the phone to a computer; it can’t be just any cable, but one that is used not only for charging but also for data transmission. It’s best to just use the cable that came with the phone.
3. A computer with a Chromium-based browser (e.g., Google Chrome, Brave, Microsoft Edge, Vivaldi?). Unfortunately, I must recommend Windows 10/11 here, because then you don’t have to mess around with any drivers; it’s the simplest option.

Phone preparation

1. If it’s new, we take it out of the box and turn it on. If it was previously used, we restore it to factory settings (Settings -> System -> Reset options -> Erase all data (factory reset) -> Erase all data). I think it’s stating the obvious, but I’ll write it anyway - a factory reset results in the deletion of all user data from the device, so if you have anything important on it, you need to back it up.
2. We must go through the basic setup until we see the home screen. We do the absolute minimum. Here is a breakdown of the steps:
   • on the welcome screen, you can change the language to whatever suits you
   • we skip the GSM services setup (SIM card)
   • we don’t connect to Wi-Fi, so we skip this step too
   • the date and time settings should be correct
   • we turn off all Google Services (location, scanning, sending diagnostic data) and accept
   • we don’t need to do anything with the warranty terms, so just the Next button
   • we accept the Legal Terms
   • we set some easy PIN, e.g., 12345
   • there is no need to waste time setting up biometrics, so we politely decline and skip fingerprint and face scan
   • a moment of waiting
   • we skip the tutorial
   • swipe up and we’re done, we are on the home screen.
3. First of all, we need to make sure that our phone’s software is updated to the latest available version. For this purpose, we go to Settings -> System -> System update. If necessary, we update.
4. Next, we go to Settings -> About phone -> find the Build number field and tap it 7 times until we see the message You are now a developer. In the meantime, the phone will ask for the PIN we set during the phone setup.
5. We go back and now enter Settings -> System -> Developer options -> turn on the OEM unlocking option. The phone will ask for the PIN again. After entering it, we still have to confirm that we definitely want to remove the lock.

Unlocking the bootloader

1. We start the bootloader unlocking process by turning off the phone.
2. When the screen goes completely dark, we simultaneously press and hold the power and volume down buttons until the text-based Fastboot Mode interface appears. If the phone starts up normally, it means we performed one of the earlier steps incorrectly.
3. We connect the phone to the computer.
4. We go to the computer and open the browser (based on the Chromium engine) to the address https://grapheneos.org/install/web.
5. We go to the Unlocking the bootloader section and press the Unlock bootloader button.
6. A window with a list of devices to choose from will pop up in the browser. There should basically be only one item on it, and that should be our Pixel. We select it and press the Connect button.
7. Changes will occur on the phone’s display. A message will appear asking to confirm that we actually want to unlock the bootloader. To do this, we must press one of the volume buttons so that instead of Do not unlock the bootlader, Unlock the bootlader appears. At this point, we can confirm by pressing the power button.
8. If everything succeeded, among the data displayed in Fastboot Mode we should see Device state: unlocked (in red).

Downloading and flashing the system image

1. On the GrapheneOS website, we scroll down to the Obtaining factory images section and press the Download release button. If the phone is still connected to the computer, the website will decide on its own which system image to download.
2. We wait for the download to finish. It is obvious that the time needed for this depends directly on the speed of the internet connection.
3. When the download is complete, we can go to the Flashing factory images section below and press Flash release.
4. Spit over your left shoulder now, hold your breath, and under no circumstances unplug the phone from the computer. Best not to touch either device at all.
5. When the process is complete, the phone will restart itself and return to the Fastboot Mode interface. In the browser, we will see the message Flashed ….

Re-locking the bootloader

Locking the bootloader is crucial because it enables the full operation of the Verified Boot feature. It also prevents the use of fastboot mode to flash, format, or wipe partitions. Verified Boot detects any modifications to the OS partitions and blocks the reading of any altered or corrupted data. If changes are detected, the system uses error correction data to attempt to recover the original data, which is then verified again – thanks to this mechanism, the system is resilient to accidental (non-malicious) file corruption.

However, before re-securing the bootloader, I recommend checking if the system was flashed correctly and everything works as it should, because if it doesn’t, locking the bootloader might brick (completely block, or even damage) the phone. Therefore:

1. Being in Fastboot Mode, when we see the Start message, we press the power button, which will cause the system to start normally. If we don’t see Start at the height of the power button, we have to press the volume buttons and find this option.
2. When the phone starts up, we can immediately perform the basic setup. The bootloader won’t run away.
3. This is a standard procedure, so we will only go through it briefly:
   • welcome screen
   • we choose the language
   • we choose the time zone and thus set the date and time
   • we connect to Wi-Fi
   • if you can, you can immediately set up the SIM card, but you can also postpone it for later
   • I recommend turning off the location service, because it’s better to configure it calmly later by granting permissions only to apps that really need it
   • securing the phone with a fingerprint; I personally am an advocate of this solution, so I recommend using it, GrapheneOS does not (yet) support face unlock, so fingerprint and a standard password are the only methods we have to choose from (of course I reject pattern unlock right at the start as a form of screen lock that cannot even in good conscience be called any security)
   • I assume that if you are reading this post, you are a graphene freshman and you have no backup to restore, so we just skip this step
   • Start button and we are on the home screen.
4. If everything is working correctly, you can now go ahead and turn off the phone and turn it on while holding the power button and volume down, just like we did earlier.
5. We land back in Fastboot Mode. I assume the phone was connected to the computer the whole time (if not, reconnect it). We return to the browser on the computer. We find the Locking the bootloader section and press the Lock bootloader button.
6. Again, confirmation of this operation on the phone is required. It looks analogous to unlocking, except this time, using the volume buttons, we have to make the Lock the bootloader option active and confirm it with the power button.
7. The result should be a change of Device state to locked (in green).

Restoring the OEM lock

The final step before starting to play with the new system is reapplying the OEM lock.

1. Just like when removing the lock, we go to Settings -> About phone -> find the Build number field and tap it 7 times until we see the message You are now a developer. In the meantime, the phone will ask for the PIN we set during the phone setup.
2. We go back and now enter Settings -> System -> Developer options -> turn off the OEM unlocking option. The phone will ask us to restart to change this setting, but for now we cancel this request, because we still want to completely turn off Developer options, which is done by unchecking the box next to the first option at the very top, Use developer options.
3. Now we can restart the device.