Installing GrapheneOS on a Google Pixel 6

My current phone - a OnePlus 6T running /e/ - has been a great re-introduction to Android after many years using iOS, but the battery is going, and the screen has a few deep-ish scratches, so I’ve been looking around for a replacement.

Honestly, I’d love that to be the PinePhone Pro. I’d really like to have a phone running Mobian. But it’s just not quite there yet, in my view. So I’m happy to have supported the project, but I need something more suitable more rapidly.

I’ve heard lots of good things about GrapheneOS, as a de-Googled, security and privacy focussed, Android-based OS. And since I wanted to try something which doesn’t rely on microG, and since the Pixel hardware is well-priced for the specifications, I’ve give it a go.

I bought a Pixel 6 from Amazon, for £350ish + VAT. Buying a screen protector and case bumped that up a bit. But, for a brand new phone, which I hope to keep for quite a while, I think that’s pretty good.

Pre-installation set-up

I’ve no idea what the stock Android experience is like, as I only booted it to do what I needed to do to install GrapheneOS.

I skipped as much of the initial out-of-box device set-up as possible.

For the prompts relating to share data with Google, it was not obvious whether they were on by default, or off. So I toggled them all to the left. I don’t know if I was right or not.

I followed the GrapheneOS installation instructions for enabling developer mode.

But even after connecting to Wi-Fi (I had not intended to do this), I could not enable OEM unlocking. The option remained greyed out.

It seems that I had to wait a few minutes, for some remote check to be completed, before I could do it.

There was a firmware update, but I was impatient, and so didn’t do it.

Installing GrapheneOS using the web installer

I used the web installer for GrapheneOS, as I was intrigued as to what it would be like.

And what was it like? Amazing. Massive applause to the Graphene OS team for making installation just so simple.

The WebUSB installer is, by far, the simplest approach I have ever seen for flashing an alternative OS on a device.

(When compared with UBPorts, Mobian, postmarketOS, and /e/.)

Seriously, bravo. It. Is. Superb.

Click. Click. Click.

And you get responsive feedback about what is happening. For example:

Screenshot showing Downloading oriole-factory

(In case it is relevant, I did this from a computer running Debian 11. I already had android-sdk-platform-tools-common installed.)

Initial permission error

When first giving permission in Brave to use WebUSB to connect to the phone, it didn’t work. I got an error:

Screenshot of an error message: Screenshot of an error message, saying Error: Failed to execute claimInterface on USBDevice. Unable to claim interface.

Unplug, re-plug, click again, and it was fine.

Flashing factory images

I couldn’t say whether this was because of something I did (although I don’t think so), or something else, but I had to run the “Flashing factory images” command three times.

The first two times, it looked like it was stuck in a boot loop. It would boot to a white screen with a Google logo on it, then would loop back to the bootloader.

I’m very willing to say that perhaps I messed something up. And it did work.

Confirmation message saying Flashed to device

I wonder if I’d have had more feedback if I’d used the cli approach instead.

But, once it did, it booted to the GrapheneOS load screen, and then into GrapheneOS.

What is GrapheneOS like?

I haven’t had much time to tinker with it yet. So, other than installing the Aurora app store as I don’t intend to use Google’s own Play store, and installing a few apps, I haven’t done much.

Most of the apps I am using on my current /e/ installation, which is only on Android 10, seem available. I’m still looking for a replacement for DAVx, for calendar and contacts sync. I’ve no problem paying the low fee requested (and I donated to the project for the app I was using on /e/), but I have no mechanism for doing so.

I love the dark colour scheme, and I was a bit irked when the apps I installed via Aurora had brightly-coloured icons. But not a major issue.

I’ve yet to work out how to get FIDO2 via NFC (WebAuthn) working for Bitwarden. It looks like something to do with Google Play settings, but I’m not sure exactly what.

For some reason, private DNS (which I think is DoT) seems to interfere with RADIUS-authenticated PEAP-based Wi-Fi. Not sure why. But then I was surprised it worked at all, as private DNS does work on my /e/ device. As long as I can get an on-demand VPN config for WireGuard working, I am not too worried about private DNS (although, were I using Mobian, I’d use dnscrypt-proxy, I guess).