Otter: Portrait of Selen
Valid HTML 4.01 Transitional

Google Pixel 5a (2022)
Setup

Jim Carter, 2022-04-17

Table of Contents

When the New Phone is Received

Chassis Name Hostname Future
Old Phone Pioneer Selen Pioneer
New Phone Barbet Orion Selen

When Orion is set up and reasonably operational, Selen will be renamed to Pioneer and Orion will be renamed to Selen. The IP addresses follow the names; the MAC address stays with the chassis. The nano-SIM will move fairly early from Selen to Orion.

What's in the box:

First steps:

Inital Setup on the Stock OS

Going through the steps in Google's guide to import data etc. from an old Android phone.

Now it wants to update 31 apps. Doing them now.

Quite a lot of apps did not get copied over to Orion (stock OS), with no report of why. Statistics: 12 missing, 5 replaced by the Pixel equivalent, 2 other fates. Since I'm going to install LOS, I'm not going to try to resurrect them. Here's a list. The phrase will reinstall implies that it's been seen on the Play Store.

Here's a detailed history of resurrecting Sudokyuu, a game I play.

On the Pixel (stock OS) you can now create a custom theme for the home screen. You can select an icon theme (e.g. the Wi-Fi icon), the font, and the shape of the icon backgrounds, 4 shapes including square. (In LOS see Display-Icon Shape; they have 7 more creative shapes.) You can reduce the icon grid size; 5x5 is the default.

Breaking news: overnight the Pixel discovered an upgrade from Android-11 Rhubarb to Android-12 Strudel. LOS is still on its version 18.1 based on Android-11, so I'm not going to upgrade the stock OS, in case there are significant differences between stock and LOS-18.1. I'm also going to pause updates on the Pioneer. (Preview: LOS also switched versions, and to install LOS-19 I needed to upgrade the stock OS first.)

I discovered these tidbits of information:

Backing Up the Trim Area

NOTE: Figure out what to do about the trim area. See the extensive discussion in the Pioneer hardware report.

Jimc judges that he is extremely unlikely to even notice the absence of the DRM keys that were trashed. Thus I'm cutting off this project with the decision to not back up the DRM keys. However, I will use TWRP Recovery to back up the TA partition (minus DRM keys) after unlocking the bootloader. Update: TWRP doesn't support the barbet. I'll have to improvise something once the phone is rooted.

Procedure to back up the TA partition (on Pioneer)

To Root or Not To Root

When I had my Galaxy S5 rooted, what were the effects on the phone? That is, what did I use rooting for? And what negative effects were there?

Conclusion: being rooted is not a number one priority for my use of the phone, but I'm going to give Magisk a try.

I installed YASNAC as a SafetyNet tester. There are several such testers. Each one has an API license key, and there's a limit on the number of queries that could be made per key, per day. If the limit is exceeded, which definitely happens on the more popular apps, the app will report that it could not contact Google Play Services.

I'll use this sequence of operations:

So how do you re-lock the bootloader? Discusson on Reddit, OP u/Axios86 (about 2020-05-xx). He wants to re-lock. Comments range from I did it on Pixel or OnePlus (but doesn't generalize to all OEMs) to don't do that, you'll brick your phone. But the procedure involves inserting the appropriate cert in vbmeta (which you then have to insert into…) I'm going to conclude that relocking isn't going to happen.

Web resources for Magisk:

Tidbits from the Magisk release notes: The developer of Magisk is topjohnwu. As of Magisk 24.0 (2022-01-26), he is working for Google on the Android Platform Security Team. But apparently he's still allowed to develop Magisk. Formerly Magisk included a module to hide the existence of Magisk, but he got worn down by the endless cat and mouse game and has removed this module. But other developers have created better such modules, which he endorses.

Installing CyanogenMod (LineageOS) Version 19

On the very day I'm writing this, LOS released version 19 (Android-12L) for Barbet and 40 other phones including the Pioneer. In the LOS staff blog dated 2022-04-26, they say, On the whole, we feel that the 19 branch has reached feature and stability parity with 18.1 and is ready for initial release. Should I go along? If I install v18.1 and then upgrade to v19, it's not as much work as replacing the stock OS, but the upgrade is nontrivial. I'm going to install v19. But I've stashed the last v18.1 image files, so I can downgrade if necessary. For the next month or so I should upgrade weekly, then go back to my usual update every 2 weeks. (Note, while the new version is called LineageOS 19, the image filenames include 19.1 as the version.)

Web resources:

You should obtain in advance the current LOS image, vendor_boot image, and GApps (Google Apps) package. (Use GApps in web searches, not google apps.) (LOS instructions put this step after you've booted into Recovery.)

Unlocking Bootloader, Installing LOS Recovery and LOS Image

The following steps are from the LOS installation instructions for Barbet, which should be read (and obeyed) in parallel, plus added clarification by jimc. Step numbers match with that howto.

LineageOS Initial Setup

What the Setup Wizard seems to have transferred (or set up anew):

Loose ends:

Setting Up LineageOS Settings and Apps

Now I have LineageOS running on the phone. Here's a journal of what I did to set it up.

Now I'm going to go through Settings and see what's available. I expect that most will be informational (like Wi-Fi scan results) and most of the rest will be left at defaults or at whatever value was imported from the old phone; only changed settings are shown here.

Launcher Icon Layout

The app launcher (Trebuchet) has an unlimited number of pages. It wants to open on the leftmost of them, whereas formerly I used the middle of three as my home page. For launcher settings, long press in the background and a menu will open with items for settings, widgets and wallpapers. I haven't found a setting to pick a different home page. Here are my settings; * indicates other than the default.

My icon layout. Many apps are reached only from the app drawer. I'm going to duplicate what's on the old phone (Pioneer) as much as possible.

— Dock (using 3 of 5 slots) —
Camera Firefox Phone
— Page 0 (Home) —
Amazon Kindle QRbot Tasks Xabber
Smart Time Sync GPS Locker aCalendar Messaging
Kitchen Timer Jog Tracker Contacts RealCalc
Huge Dig Clock Jota Editor Google Maps Bible App
(Vacant)
— Page 1 (Technical and Games) —
StrongSwan OpenVPN And. WireGuard H.E. Net Tools
SimpleSSHD NiM Websvr ownCloud JuiceSSH
GPS Status WiFi Analyzer Sensors Net Cell
Settings Total Commander DNS Forwarder Gallery
(vacant) (vacant) Sudokyuu Solitaire Coll.
— Page 2 (Misc) —
iRobot Domoticz Thermostat Ring
Bitwarden Whole Foods MyChart Voicemail
Zoom Bluetooth Kbd CA Notify Play Store
Sky Map Earth (Vacant) Google Pay
(Vacant)

Miscellaneous settings: Sounds. Set these in Settings-Sounds (toplevel directory). You can also set them in various other places like the phone app. In several major version upgrades the names of the sounds were randomized, but they stayed stable in the upgrades from LOS-17 to LOS-18.1 to LOS-19.

Android Backups: SeedVault

The adb Android debugging utility used to have a subcommand to back up the phone, but around 2020 it was removed. I've been using a back-version adb to do these backups, but that's not sustainable, nor prudent. Also I have never done a fire drill, restoring one of these backups, to see just how much stuff is actually being backed up. It's time to get dragged, kicking and screaming, into the current decade. So what's a good backup program that will work on LOS-19?

An open source program called SeedVault is an official component at least since LOS-17. If I'm reading this right, it has these features:

I did a trial backup, with these outcomes:

Here's a preliminary assessment of what was backed up, with a count of apps in each fate category:

How to exfiltrate the backup with adb:

How to exfiltrate the backup with rsync:

How to decrypt, modify and reencrypt seedvault android backups:

A tidbit about DAVx5:

Installing Magisk and Procedure Confirmation (on Pioneer)

Help with Installing Lineage on Xperia XA2, OP davidovski on Reddit (about 2019-03-xx). He describes the procedure he followed, which to jimc seems to not agree with LineageOS instructions. He gets a public key verification error on (I'm pretty sure) the LineageOS zip file. shamanonymous replies: You definitely don't need to install TWRP permanently. The XA2 uses the new A/B system image method, so there is no recovery partition… I only needed TWRP for reinstalling root, but now Magisk is also A/B aware, so I just have to run it after the Lineage OTA.

He continues with a summary of the install process (with extra notes from jimc):

He continues with how to handle a Lineage update. It will write the new image to the other (A/B) set of partitions. If botched it will say so and exit. If OK it will change that partition to be active. Before you reboot, start the Magisk Manager app and click Install - On The Other Partition. Do this, then reboot. Lineage OTA updates work just fine in this configuration.

thinkofdoc responds: LuK1337 is the primary developer for this build. He advises against installing TWRP, and provides a link to a custom TWRP image that works better with the XA2 image. (jimc says: looks like the reported issue is very minor and in 2020 it will be long forgotten.)

Respondent moroi (2018-08-14 on XDA-Developers) (this is post 311, last on page 31 of this very long thread). He tells why you mustn't boot LineageOS before installing Google Apps: on an A/B system, TWRP installs the LOS zip into the inactive partition, then (on success) marks it active. But it installs Google Apps in the active partition. So after installing LOS you have to reboot back into TWRP, not into LineageOS. This seems a little strange to jimc. My speculation (without objective evidence): TWRP installs everything to the inactive A/B set of partitions. On success with LOS it swaps the active/inactive markings. But the partition isn't really active until you reboot, so if you install something else (Google Apps), it will again go in the currently inactive partition where LOS was just installed, which is what you want. Whereas if you rebooted into LOS (without Google Apps), then got back into TWRP and installed Google Apps, it would go into the then-prevailing inactive partition, where LOS isn't.

Running Magisk Manager to set up Magisk:

Update: The following hodge-podge of forum posts documents unsuccessful attempts to get the phone to pass ctsProfile. Suggestion, pick up at Google Pay on Rooted Phone. A lot of the forum posts linked here refer to how to take an image that Google won't certify, and make it look like one that can be. But I had no problem registering this LOS image with Google.

[FIX] SafetyNet Failed: CTS Profile Mismatch Errors — Full Guide! by Arvind Rana on DroidHolic (2020-03-05). CTS means Compatibility Test Suite. Among quite a lot of other items to check/fix, he says USB Debugging (in Settings - System - Developer Options) is a red flag for CTS. For me, turning it off did not solve the problem.

Cant find Enable Busybox in Magisk settings and ctsProfile not successful, OP rolferikalfheim on XDA-Developers (2017-09-14). He has my symptom, no Busybox option in Magisk Manager, and ctsProfile test fails. Digeridoohan (moderator) replies, that setting has been absent for some time. Use the Busybox module in the Downloads section of Magisk Manager.

Magisk and MagiskHide Guide - SafetyNet maintained by didgeridoohan. One issue: check in Play Store settings (at the bottom) for Play Protect certification: Device is not certified. The linked page gives some fixes. Basically, make sure you can pass SafetyNet. Jigger some props to match a known certified kernel/system. Clear data for Play Store. Reboot. The main symptom of this failed certification is that certain apps won't appear, or will appear but won't be installable. Netflix is the one most often complained about. I did this but still can't pass ctsProfile. The item for Play Protect Certification has disappeared, and the Netflix product page can be displayed. (I didn't try to install it; I didn't try to see it before improving my compliance level.)

Following instructions in the above wiki and various forum posts, I disabled Magisk Hide, rebooted, tested SafetyNet (ctsProfile false, basicIntegrity true), enabled it again, rebooted, and tested SafetyNet again. Still ctsProfile false.

LineageOS is supposed to be certified by Google. But from time to time updated versions fail to be certified. Basically, install the Magisk modules for Busybox (prerequisite) and MagiskHide Props Config. Guess which device to emulate. That got him past SafetyNet, except for one game. He had forgotten to spoof the name of MagiskManager; doing that brought that game to life.

After clearing data for Play Store and rebooting, I configured settings again, then selected My Apps and Games. It showed a panel saying Install apps you've used before. It found 10 apps: apps from the Sony stock image (that I never opened) like PlayStation App, three that I had on the old phone, and one that I actually installed on the Sony stock image. Selectively installing them on the Pioneer.

I found out a better way to install previous apps: Play Store web URL, likely you can click to install, on the phone. It has most of them, including some that I must have had at one time but then uninstalled.

In MagiskManager I installed Busybox by osm0sis (prerequisite) and MagiskHide Props Config by didgeridoohan. Reboot afterward. Following instructions: start a terminal (LOS has one, unless you suppressed it in initial setup), command props and grant root access, choice 3 to enable better hiding (and reboot if it prompts), then choice 1, and then 'f', and pick your fake OS.

Google Pay on Rooted Phone (on Pioneer)

On this phone I would very much like to use Google Pay, a digital payment app which has different security exposures than the traditional use of a physical credit card with a static and stealable account number. (Apple Pay pioneered getting merchants to install the software and a NFC reader, but Google Pay and possibly others can use the same protocol even if the reader is Apple branded.) The digital payment protocol uses a one-time code so the thief cannot steal the transaction record off the wire and use it for a nefarious transaction, a notorious vulnerability, but the credit card's number resides in the phone, where malware could steal it if able to subvert very difficult security involving SELinux. Obviously a rooted phone is a serious threat to this security model, and Google Pay will clam up if it detects root capability. The system service that handles root checking is called SafetyNet.

Therefore if you want root, it has to be stealthy. Of course the easiest solution is to not root your phone. So what do I use root for?

How to Use Google Pay on Rooted Android Phones by Rohail Khan (2018-07-18). Use Magisk root. Configure Magisk to use BusyBox, Magisk Hide, and Systemless Host. Enable Magisk Core Only (and reboot). Look for the SafetyNet lack-of-root report. It should pass, and both Google Pay and rooted apps should work. Jimc's note: I think turning on Core Only would preclude spoofing the OS type, if that's needed to pass the ctsProfile check.

Google Pay no longer worked, OP henban89 (2019-03-03). It turns out that an updated version of Google Pay was aware of Magisk. A respondent gives instructions to revert to a back version and prevent it from being updated.

Google Play Certification: What it is, and how it affects you by JavelinAndArt (2018-04-09). This is what SafetyNet checks. You need to register your Google Services Framework. If you aren't passing SafetyNet, you will be prevented from downloading some apps, and others like Google Pay will not work at all. See also SafetyNet: What it is, and how it affects you by JavelinAndArt (2017-06-05).

Working: Magisk with Google Pay as of gms 17.1.22 on Pie OP BostonDan (2019-05-14). He gives a credible looking procedure for getting around the security check.

Before I try to make Google Pay work, I need to install Magisk Manager, try the SafetyNet check, and get it so it passes SafetyNet. (And don't forget to obfuscate the name of the MagiskManager app, which some programs check for explicitly.) On the first installation attempt, I ended up with a failure in ctsProfile, a server-side test; basicIntegrity (client side) passed. Forum posts about troubleshooting this invariably say, wipe your phone, reinstall the OS, and step by step, check if you're passing SafetyNet. The point at which it starts failing gives a clue what intervention may fix it.

Repeating installation up to the point of activating Magisk.

Now to see if Google Pay will actually function. Since there's an unconfigured instance of Google Pay in my backup, I'll restore state first. I'm using Backup Your Mobile By Artur Jaszczyk. Re-installing this app. There's also an active instance of Magisk Manager. The current instance is called MgkMgr; the backed-up one is … It restored 0 application data, 1 Wi-Fi password, 48 system settings, and the app list. Please restart device. It should have restored application data; I don't know why it didn't. Play Store did not seem to know which apps it was supposed to reinstall. Neither did it restore the icon load of my home screen. In Settings - Apps - See All Apps - (name of app) - Permissions - turn them all on; in the dotdotdot menu there's one item for all permissions. Restore again. This time it went much faster probably because the target data didn't need to be changed. Not much improvement. I think this has failed. Next time around I'll try ADB backup.

Installing Google Pay. With Magisk core only mode on or off, and with the Google Services Framework ID registered, it passes SafetyNet. But Google Pay still says This phone can't be used to pay in stores. This may be because it is rooted… Turned on Google Pay in the Magisk Hide list, joining Google Play Services. Didn't help (but I left it on). Turned on Google Play Services. And rebooted. Didn't help (but I left it on).

Google Pay Magisk Discussion Thread, moderated by Didgeridoohan, response #5 by JarlPenguin (2019-03-03). Discussing similar symptoms seen last year, an update to Google Play Services caused it. Wait for a version of Magisk that it can't resist. Temporarily revert to the previous version by using the procedure shown.

How to get GPay to work on rooted Xiaomi Mi9 by smohanv (2019-09-24). He links to a Magisk module and lists the operations that it does if you want to do it by hand. Basically, lie about whether (something) has been attested, and change the mode to 440 so your fix can't be reverted. See response #11 by 73sydney and follow the links there, if downloading the module.

Conclusion: I need to just be patient. The procedure for reverting to a prior version requires a prior version to revert to, which I don't have. Once I have a working version (of Magisk, Google Play Services, and Google Pay), I'll save them so I can revert if needed.

Otter: Portrait of Selen
Photo Credit