Categories
Linux

Installing the Exodus MOD on OnePlus 2

Less than a year ago I was attracted by the value for money offer of OnePlus 2 and became a proud owner. Being paranoid about Google tracking, I disabled most Google apps. Alas, some apps were impossible to disable. I assumed that this was caused by their dependencies with other core applications. Google play services was one them, but I never created an account with Google and never synced anything with them.

Time went by and it happened that data over mobile was accidentally enabled. And then I noticed from the mobile data traffic statistics, that Google Play services was creating traffic even without a Google account! Why does this happens its beyond my perception, but anyone is allowed to guess based on [recent history](https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#/media/File:Prism_slide_5.jpg "PRISM Surveillance program"). There is an option to disable background traffic on the stock Android ROM (OxygenOS) but that works only when data over mobile is enabled. With Wi-Fi enabled, Google Play services keeps on sending suspicious traffic, back to mother Google.

So I decided to look for alternatives to replace OxygenOS with a Google-free Android ROM. These are the options I have investigated:

  • Replicant:
    This seems to be the more privacy respecting Android MOD. No support for OnePlus 2, alas!
  • AOKP:
    This is an interesting MOD with lots of features. There are recent nightly builds for OnePlus 2. I tried to install it my Phone but gave an error when I tried to sideload it.
  • CyanogenMOD:
    A popular Android MOD that was recently discontinued. A fork by the name LineageOS is taking over. No image downloads yet.<br />
    UPDATE (2-Jan-2016): There are some experimental LineageOS images here.
  • Paranoid Android:
    Another successful Android MOD with close ties to OnePlus. It boasts some interesting features. Officially supports all OnePlus models except the latest OnePlus 3T. I tried the OnePlus 2 image but the phone stack to the OnePlus logo boot screen.
  • Exodus:
    This is a minimalistic Android MOD. It is based on AOSP and is free from Google Apps. This is the only MOD I managed to get it working on my OnePlus 2.

So I decided to go with Exodus. This guide describes the procedure and preparations I followed in order to flash the latest Exodus nightly build for OnePlus 2.

DISCLAIMER: This guide could renter your device a luxurious brick! Backup everything before you continue. The author of this guide will not be liable for any damages you may cause on your device or any data lost. Proceed at your own risk!

Now we got that out of the way, let’s continue.

Prerequisites

  • A PC. In this guide we are using Debian/Ubuntu as the PC’s Operating System but this can work with other Operating Systems, with minor adaptations.
  • An OnePlus 2 smartphone. It could possibly be used for other devices too, but I have only tested this on OnePlus 2.
  • The Android Debug Bridge (ADB). This is part of the Android SDK. On Debian/Ubuntu you can install it with apt install android-tools-adb.
  • A Type-C USB cable to connect the phone to your PC.

Make your device detectable in Linux

There is some process we need to follow so that the OnePlus 2 device is detectable by ADB

Enable Usb Debugging

To Enable USB Debugging we need to first enable the Developer Options:

  • Go into Settings
  • Dive into the About phone option
  • Tap 7 times on the Build number option
  • Go back and tap on Developer Options
  • Enable USB debugging and OEM unlock

Enable detection of device under Linux

First ensure that the device is connected:

# lsusb
...
 Bus 003 Device 039: ID 2a70:f003  
...

The device ID for OnePlus 2 is 0x2a70. Set this in * ~/.android/adb_usb.ini*:

# echo "0x2a70" >> ~/.android/adb_usb.ini

Download the udev rules files (Thanks Nicolas Bernaerts):

# wget --header='Accept-Encoding:none' -O /etc/udev/rules.d/51-android.rules https://raw.githubusercontent.com/NicolasBernaerts/ubuntu-scripts/master/android/51-android.rules
# chmod a+r /etc/udev/rules.d/51-android.rules
# wget --header='Accept-Encoding:none' -O /etc/udev/rules.d/69-mtp.rules https://raw.githubusercontent.com/NicolasBernaerts/ubuntu-scripts/master/android/69-mtp.rules
# chmod a+r /etc/udev/rules.d/69-mtp.rules

Restart the udev and ADB services:

# systemctl restart udev
# adb kill-server
# adb start-server

NOTE: make sure USB Debugging is enabled otherwise you will still not be able to see the device!

Verify that the device is present:

# adb devices 
List of devices attached 
da0afea7        unauthorized

Seems OK.

Backup your data and stock image

Since we are not using Google’s services we will need to manually backup all important data such as:

  • Export contacts on a .vcf file.
  • Save Pictures and Videos from the phone on your PC
  • Backup every other Applacation data which is important to you.

You can also backup your entire system with ADB:

# adb backup -f oneplus2.bck -apk -shared -all

This will take some time depending on the size of your data.

You can later restore your system back to normal, using this command:

# adb restore oneplus2.bck

Prepare the recovery image

Download Prepare the First Aid kit

This is a bundle that includes all the files needed to bring life to a bricked OnePlus 2 device. It includes a recovery image which we will use to install Exodus (or any other image you wish) on the device.

# wget -O Firstaid_v_2_0.zip 'http://forum.xda-developers.com/devdb/project/dl/?id=16684&task=get'
# unzip Firstaid_v_2_0.zip

All the necessary files are in the newly created, Firstaid directory.

Download TWRP Custom recovery

The recovery image that comes with Firstaid is somewhat outdated. We will download a more recent version of it and replace it in the Firstaid directory. You can download the more recent TWRP image from here. Do not use wget or other command line tools, just a normal browser to download it.

NOTE: There are more recent versions than 3.0.2-0 like 3.0.2-1 and 3.0.2-2. You can try those if you feel lucky, but be warned! Those versions did not work on my phone. You can see all the past and resent images here.

Verify the downloaded image:

# wget -O twrp-public.asc https://dl.twrp.me/public.asc
# gpg --import twrp-public.asc
# wget https://dl.twrp.me/oneplus2/twrp-3.0.2-0-oneplus2.img.asc
# gpg --verify twrp-3.0.2-0-oneplus2.img.asc twrp-3.0.2-0-oneplus2.img

If you get Good signature from &quot;TeamWin &lt;admin @teamw.in>&quot; that means the image is correct. Now replace the TWRP image that comes with Firstaid with this one:

# cp twrp-3.0.2-0-oneplus2.img Firstaid/twrp.img

Flash the recovery image

Reboot to fastboot mode:

# adb reboot-bootloader

Alternatively you can poweroff the OnePlus 2 and press the Volume UP + Power buttons simultaneously.

Verify the presence of the device:

# fastboot devices
da0afea7               fastboot

Unlock the phone:

fastboot oem unlock

Flash Firstaid with the recent TWRP recovery image:

# cd Firstaid
# ./firstaid.sh

Now unplug the phone from the PC, poweroff and the press the Volume DOWN + Power buttons simultaneously. This will bring your phone into TWRP recovery.

Flashing the Exodus image

Download Exodus image and verify

Download the latest Exodus image for OnePlus 2 here:

# wget http://exodus-developers.net/exodus-6.0/oneplus2/exodus-6.0-20161111-NIGHTLY-oneplus2.zip
# wget http://exodus-developers.net/exodus-6.0/oneplus2/exodus-6.0-20161111-NIGHTLY-oneplus2.zip.md5 

Verify that the download is correct:

# cat exodus-6.0-20161111-NIGHTLY-oneplus2.zip.md5 ; md5sum exodus-6.0-20161111-NIGHTLY-oneplus2.zip
35dcf9ea73648682a36e673f5ed8f0eb  /android/exodus-6.0/out/target/product/oneplus2/exodus-6.0-20161111-NIGHTLY-oneplus2.zip
35dcf9ea73648682a36e673f5ed8f0eb  exodus-6.0-20161111-NIGHTLY-oneplus2.zip

Seems OK

Plug the phone back to the PC and ensure that it is detectable by ADB:

# adb devices 
List of devices attached 
da0afea7        device

Flash the Exodus image

Follow these steps:

  • Wipe old data: Select Wipe and then Swipe to Factory Reset. You may need to format the system if the previous system was encrypted.
  • Enter the Sideload mode: From the TWRP start menu select Advanced then ADB Sideload and then Swipe to Start Sideload
  • From the PC’s CLI run the following command:
# adb sideload exodus-6.0-20161111-NIGHTLY-oneplus2.zip

Wait and then reboot into the new Exodus system when done.

Optional steps

Install F-Droid:

By default Exodus has a minimal set of apps. Since we are not using Google Apps we will need to install F-Droid:

# wget https://f-droid.org/FDroid.apk
# adb install FDroid.apk

Lock your Phone

Setup a PIN or Pattern to lock the screen of your phone when not in use: Settings -> Security -> Screen Lock. Avoid fingerprint as it can be easily bypassed.

Encrypt phone

Encrypting your phone will protect your data if it gets stolen or confiscated. These are the steps Settings -> Security -> Encrypt phone. Your phone will need to be plugged to charger and charged to 80% or above, otherwise the system will refuse to start the encryption process.

Restoring the Stock OxygenOS System

If you decide that you don’t like Exodus or any other MOD that you have installed, you can restore your phone back to the stock OxygenOS. These instructions can also be used to restore your phone’s functionality after you have accidentally bricked it.

Download necessary images

Download the stock OxygenOS 3.0.2 image from here. Verify the download with:

# echo 46b1fde116275d83d05c2dd89422069f ; md5sum OnePlus2Oxygen_14_OTA_019_all_1606041303.zip
46b1fde116275d83d05c2dd89422069f
46b1fde116275d83d05c2dd89422069f  OnePlus2Oxygen_14_OTA_019_all_1606041303.zip

Download the upgrade patch for Oxygen 3.1.0 from here. Verify the download with:

# echo 9cfa9a2a4c7fada6f9db79ea660251d0 ; md5sum OnePlus2Oxygen_14_OTA_019-020_patch_1608262242.zip 
9cfa9a2a4c7fada6f9db79ea660251d0
9cfa9a2a4c7fada6f9db79ea660251d0  OnePlus2Oxygen_14_OTA_019-020_patch_1608262242.zip

Optionally you can download the SuperSU image if you would like your OxygenOS rooted:

# wget -O supersu.zip 'https://download.chainfire.eu/743/SuperSU/BETA-SuperSU-v2.52.zip?retrieve_file=1'

Flash Recover image

First we need to restore the recovery ROM from Firstaid:

# cd Firstaid
# ./firstaid.sh

Flash the Oxygen Images.

Before we install the OxygenOS image it is recommended to wipe the phone: From the TWRP menu select Wipe and then Swipe to factory reset. If the system was previously encrypted you will need to use TWRP to format it before the wipe.

Then we need to set the device into Sideload mode: Select Advanced -> ADB Sideload -> Swipe to Start Sideload.

First install the OxygenOS 3.0.2 image:

adb sideload OnePlus2Oxygen_14_OTA_019_all_1606041303.zip

Then re-enable ADB Sideload and load the Oxygen 3.2.0 patch:

adb sideload OnePlus2Oxygen_14_OTA_019-020_patch_1608262242.zip

Optionally you can also load the SuperSU application as well

adb sideload supersu.zip

Finally reboot into the new system and enjoy your freshly formatted phone.

References

  • http://bernaerts.dyndns.org/android/339-android-oneplustwo-oneplusx-enable-adb-mtp-detection-ubuntu-trusty
  • https://forum.xda-developers.com/devdb/project/dl/?id=16684
  • https://twrp.me/
  • https://twrp.me/devices/oneplustwo.html
  • https://github.com/TeamExodus/device_oneplus_oneplus2
  • http://exodus-developers.net/
  • https://github.com/TeamExodus/device_oneplus_oneplus2</admin>
Categories
Linux

Creating an authoritative-only DNS system for your domain

Most registrars they provide a DNS service when you purchase a domain name. But having your own DNS servers means more control to you. And if you are an aspiring sysadmin, you will find it fun and educational. We will be using BIND 9 which is, by far the most popular DNS implementation.

Prerequisites

We will need two systems (VMs or containers) preferably on different geographic locations and different providers. One will be the master and the other system, the slave. This guide works for recent Debian or Ubuntu systems.

Some assumptions:

  • Master DNS:
    • Hostname: ns1.example.com
    • IP: 1.1.1.1
  • Slave DNS:
    • Hostname: ns2.example.com
    • IP: 2.2.2.2
  • Webserver:
    • Hostname: example.com (www.example.com is an alias)
    • IP: 3.3.3.3
  • Main mailserver:
    • Hostname: mx1.example.com ({mail,smtp,pop,imap,webmail}.example.com are aliases)
    • IP: 4.4.4.4
  • Backup mailserver:
    • Hostname: mx2.example.com
    • IP: 5.5.5.5

Preparations

Setup the /etc/hosts file

On master’s /etc/hosts:

1.1.1.1    ns1.example.com ns1

On slave’s /etc/hosts:

2.2.2.2    ns2.example.com ns2

Installing BIND

NOTE: all commands must be applied to both master and slave unless otherwise stated

apt-get -y install bind9 bind9utils

Allow port 53:

ufw allow 53

Configure the global options

Make the following changes in the /etc/bind/named.conf.options of both servers:

--- /etc/bind/named.conf.options        2016-12-12 14:44:57.163515708 -0500
+++ /etc/bind/named.conf.options.new    2016-12-12 14:52:29.749268250 -0500
@@ -1,5 +1,7 @@
 options {
        directory "/var/cache/bind";
+       recursion no;
+       allow-transfer { none; };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple

Configure the local options

On master’s /etc/bind/named.conf.local:

--- /etc/bind/named.conf.local  2016-12-12 20:06:27.000000000 +0000
+++ /etc/bind/named.conf.local.new      2016-12-12 20:07:03.000000000 +0000
@@ -6,3 +6,8 @@
 // organization
 //include "/etc/bind/zones.rfc1918";

+zone "example.com" {
+    type master;
+    file "/etc/bind/db.example.com";
+    allow-transfer { 2.2.2.2; };
+};

On slave’s /etc/bind/named.conf.local:

--- /etc/bind/named.conf.local  2016-11-01 13:02:24.000000000 -0400
+++ /etc/bind/named.conf.local.new      2016-12-12 15:09:47.445235343 -0500
@@ -6,3 +6,8 @@
 // organization
 //include "/etc/bind/zones.rfc1918";

+zone "example.com" {
+    type slave;
+    file "db.example.com";
+    masters { 1.1.1.1; };
+};

Create the zone file

On master server create the zone file (/etc/bind/db.example.com):

$TTL 3600
@    IN    SOA    ns1.example.com.    root.example.com. (
                                            2016121201
                                            7200
                                            3600
                                            1209600
                                            180 )

; NS Records
@       300    IN      NS              ns1.example.com.
@       300    IN      NS              ns2.example.com.

; MX Records
@       300    IN      MX      10      mx1.example.com.
@       300    IN      MX      20      mx2.example.com.

; Address records
@       300    IN      A               3.3.3.3
ns1     300    IN      A               1.1.1.1
ns2     300    IN      A               2.2.2.2
mx1     300    IN      A               4.4.4.4
mx1     300    IN      A               5.5.5.5

; Alias (Canonical Name) records
www     300    IN      CNAME           example.com.
mail    300    IN      CNAME           mx1.example.com.
smtp    300    IN      CNAME           mx1.example.com.
imap    300    IN      CNAME           mx1.example.com.
pop     300    IN      CNAME           mx1.example.com.
webmail 300    IN      CNAME           mx1.example.com.

; TXT records
@       300    IN      TXT             "v=spf1 a mx ?all"

Verify the global configuration

Run the named-checkconf command on both servers. If you get any errors you should fix them before proceeding.

Verify the zone configuration

Run the following command on the master server:

named-checkzone theo-andreou.org /etc/bind/db.example.com 
zone example.com/IN: loaded serial 2016121201
OK

If you get ‘OK’ then your setup is correct, otherwise you should fix it before proceeding.

Restart bind and test your servers

systemctl restart bind9.service

Now test if your servers resolve your records.

The master:

dig smtp.example.com @1.1.1.1
...
;; ANSWER SECTION:
smtp.example.com.   300 IN  CNAME   mx1.example.com.
mx1.example.com.    300 IN  A   4.4.4.4
...

The slave:

dig smtp.example.com @2.2.2.2
...
;; ANSWER SECTION:
smtp.example.com.   300 IN  CNAME   mx1.example.com.
mx1.example.com.    300 IN  A   4.4.4.4
...

If you get any errors you can check your syslog file (/var/log/syslog).

Finalizing

After you have tested that everything is OK, it is time to tell your registrar about the new servers. This is called setting the glue records and you should consult the documentation of your registrar on how to do that. Ask support if you have any trouble.

References

  • https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04