CLI install guide
This is a guide on installing GrapheneOS on the officially supported devices. It can be followed for both the official releases and custom builds. The web installer is an easier approach to installing the official releases via a browser with WebUSB support.
We strongly recommend following these official instructions. The official guide has a lot of collaborative effort put into covering all of the edge cases and is regularly tested by many people on each supported OS. Following these instructions to the letter without skipping, reordering or adding any steps will give you a proper GrapheneOS installation unless there's a hardware issue. We strongly recommend against following unofficial guides deviating in any way from the official instructions.
If you have trouble with the installation process, ask for help on the official GrapheneOS chat channel. There are almost always people around willing to help with it. Before asking for help, make an attempt to follow the guide on your own and then ask for help with anything you get stuck on.
Prerequisites
You need a computer for running the CLI install process with at least 2GB of free memory available and 32GB of free storage space. The web installer can be run on an Android phone or tablet, unlike the command-line installation.
You need a USB cable for attaching the device to the computer performing the installation. Whenever possible, use the high quality standards compliant USB-C cable packaged with the device. If your computer doesn't have any USB-C ports, you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on a desktop computer case. Connect directly to a rear port on a desktop or the ports on a laptop. Many widely distributed USB cables and hubs are broken and are the most common source of issues for installing GrapheneOS.
Installing from an OS in a virtual machine is not recommended. USB passthrough is often not reliable. To rule out these problems, install from an OS running on bare metal. Virtual machines are also often configured to have overly limited memory and storage space.
Officially supported operating systems for the CLI install method:
- Windows 10
- Windows 11
- macOS Ventura (13)
- macOS Sonoma (14)
- macOS Sequoia (15)
- Arch Linux
- Debian 11 (bullseye)
- Debian 12 (bookworm)
- Ubuntu 20.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 24.04 LTS
- Linux Mint 20 (follow Ubuntu 20.04 LTS instructions)
- Linux Mint 21 (follow Ubuntu 22.04 LTS instructions)
- Linux Mint 22 (follow Ubuntu 24.04 LTS instructions)
- Linux Mint Debian Edition 6 (follow Debian 12 instructions)
Make sure your operating system is up-to-date before proceeding.
The web installer is more portable and can be used from Android, ChromeOS and GrapheneOS itself since it can run anywhere with a browser with working WebUSB support.
You need one of the officially supported devices. To make sure that the device can be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier variants of Pixels use the same stock OS and firmware with a non-zero carrier id flashed onto the persist partition in the factory. The carrier id activates carrier-specific configuration in the stock OS including disabling carrier and bootloader unlocking. The carrier may be able to remotely disable this, but their support staff may not be aware and they probably won't do it. Get a carrier agnostic device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id and the hardware is the same.
It's best practice to update the device before installing GrapheneOS to have the latest firmware for connecting the device to the computer and performing the early flashing process. Either way, GrapheneOS flashes the latest firmware early in the installation process.
Enabling OEM unlocking
OEM unlocking needs to be enabled from within the operating system.
Enable the developer options menu by going to Settings > About phone/tablet and repeatedly pressing the Build number menu entry until developer mode is enabled.
Next, go to Settings > System > Developer options and toggle on the OEM unlocking setting. On device model variants (SKUs) which support being sold as locked devices by carriers, enabling OEM unlocking requires internet access so that the stock OS can check if the device was sold as locked by a carrier.
For the Pixel 6a, OEM unlocking won't work with the version of the stock OS from the factory. You need to update it to the June 2022 release or later via an over-the-air update. After you've updated it you'll also need to factory reset the device to fix OEM unlocking.
Opening terminal
These instructions use command-line tools. Launch the terminal as you would any other application. On Windows, launch a regular non-administrator instance of the PowerShell terminal. Do not use the legacy Command Prompt or administrator variant of PowerShell.
Use the same terminal for the whole installation process. If you close it, you'll lose the setup of the environment for the installation.
On Windows, run the following command to remove PowerShell's legacy curl alias for the current shell to avoid needing to reference it as curl.exe
instead of curl
:
Remove-Item Alias:Curl
Obtaining fastboot
You need an updated copy of the fastboot
tool and the directory containing it needs to be included in the PATH
environment variable. You can run fastboot --version
to determine the current version. It must be at least 35.0.1
. You can use a distribution package for this, but most of them mistakenly package development snapshots of fastboot, clobber the standard version scheme for platform-tools (adb, fastboot, etc.) with their own scheme and don't keep it up-to-date despite that being crucial.
On Arch Linux, install android-tools
and skip the section below on using the standalone release of platform-tools from Android:
sudo pacman -S android-tools
Debian and Ubuntu do not have a usable package for fastboot. Their packages for these tools are both broken and many years out-of-date. Follow the instructions below for platforms without a proper package.
Standalone platform-tools
If your operating system doesn't include a usable version of fastboot, you can use the official standalone releases of platform-tools. This is our recommendation for most users. The flashing process won't work unless you follow these instructions including setting up PATH.
To download, verify and extract the standalone platform-tools on Debian and Ubuntu:
sudo apt install libarchive-tools curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-linux.zip echo 'acfdcccb123a8718c46c46c059b2f621140194e5ec1ac9d81715be3d6ab6cd0a platform-tools_r35.0.2-linux.zip' | sha256sum -c bsdtar xvf platform-tools_r35.0.2-linux.zip
To download, verify and extract the standalone platform-tools on macOS:
curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-darwin.zip echo 'SHA256 (platform-tools_r35.0.2-darwin.zip) = 1820078db90bf21628d257ff052528af1c61bb48f754b3555648f5652fa35d78' | shasum -c tar xvf platform-tools_r35.0.2-darwin.zip
To download, verify and extract the standalone platform-tools on Windows:
curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-win.zip (Get-FileHash platform-tools_r35.0.2-win.zip).hash -eq "2975a3eac0b19182748d64195375ad056986561d994fffbdc64332a516300bb9" tar xvf platform-tools_r35.0.2-win.zip
Next, add the tools to your PATH
in the current shell so they can be used without referencing them by file path, enabling usage by the flashing script.
On Debian, Ubuntu and macOS:
export PATH="$PWD/platform-tools:$PATH"
On Windows:
$env:Path = "$pwd\platform-tools;$env:Path"
This only changes PATH
for the current shell and will need to be done again if you open a new terminal.
Checking fastboot version
Check the output of fastboot --version
before continuing.
Example of the output after following the instructions above for the standalone platform-tools:
fastboot version 35.0.2-12147458 Installed as /home/username/platform-tools/fastboot
Flashing as non-root
On traditional Linux distributions, USB devices cannot be used as non-root without udev rules for each type of device. This is not an issue for other platforms.
On Arch Linux:
sudo pacman -S android-udev
On Debian and Ubuntu:
sudo apt install android-sdk-platform-tools-common
The udev rules on Debian and Ubuntu are very out-of-date but the package has the rules needed for Pixel devices since the same USB IDs have been used for many years.
Working around fwupd bug on Linux distributions
Debian stable and Ubuntu have an outdated fwupd package with a bug breaking connecting to Android's bootloader interface (fastboot) while fwupd is running since it tries to connect to arbitrary devices. This section can be skipped on Arch Linux and other distributions with fwupd 1.9.10 or later since we reported the bug and it was fixed. This never impacted Android or ChromeOS.
You can stop fwupd with the following command:
sudo systemctl stop fwupd.service
This doesn't disable the service and it will start again on reboot.
Booting into the bootloader interface
You need to boot your device into the bootloader interface. To do this, you need to hold the volume down button while the device boots.
The easiest approach is to reboot the device and begin holding the volume down button until it boots up into the bootloader interface.
Alternatively, turn off the device, then boot it up while holding the volume down button during the boot process. You can either boot it with the power button or by plugging it in as required in the next section.
Connecting the device
Connect the device to the computer. On Linux, you'll need to do this again if you didn't have the udev rules set up when you connected it.
Current Windows 10 and Windows 11 include a generic driver usable for fastboot and no longer require installing a driver for installation on the Pixel 4a (5G) or later. It isn't enough for legacy 4th generation Pixels due to the driver not handling fastbootd, so you still need the driver for those. Outdated Windows versions will still need the driver for non-obsolete devices too. You can obtain the driver from Windows Update which will detect it as an optional update when the device is booted into the bootloader interface and connected to the computer. Open Windows Update, run a check for updates and then open the "View optional updates" interface. Install the driver for the Android bootloader interface as an optional update, which will show up as "LeMobile Android Device" due to USB ID overlap. An alternative approach to obtaining the Windows fastboot driver is to obtain the latest driver for Pixels from Google and then manually install it with the Windows Device Manager.
For the Pixel Tablet, disconnect it from the stand before continuing. The stand uses USB to provide charging and audio output, but the tablet lacks support for using both the stand and USB port at the same time.
Unlocking the bootloader
Unlock the bootloader to allow flashing the OS and firmware:
fastboot flashing unlock
The command needs to be confirmed on the device and will wipe all data. Use one of the volume buttons to switch the selection to accepting it and the power button to confirm.
Obtaining openssh
OpenSSH is used to verify the download of the OS beyond the security offered by HTTPS.
macOS and Windows include OpenSSH in their base install so this isn't needed.
On Arch Linux:
sudo pacman -S openssh
On Debian and Ubuntu:
sudo apt install openssh-client
Obtaining factory images
You need to obtain the GrapheneOS factory images for your device to proceed with the installation process.
You can either download the files with your browser or using a command like curl
. It's generally easier to use the command-line since you're already using it for the rest of the installation process, so these instructions use curl
.
Download the factory images public key (allowed_signers) in order to verify the factory images:
curl -O https://releases.grapheneos.org/allowed_signers
This is the content of allowed_signers
:
contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
Other locations to obtain the signing key:
The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:
curl -O https://releases.grapheneos.org/allowed_signers.sig signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub
When the current signing key is replaced, the new key will be signed with it.
Download the factory images for the device from the releases page. For example, to download the VERSION
release for a device with the codename DEVICE_NAME
:
curl -O https://releases.grapheneos.org/DEVICE_NAME-install-VERSION.zip curl -O https://releases.grapheneos.org/DEVICE_NAME-install-VERSION.zip.sig
Next, verify the factory images using the signature.
On Linux and macOS:
ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-install-VERSION.zip.sig < DEVICE_NAME-install-VERSION.zip
On Windows:
cmd /c 'ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-install-VERSION.zip.sig < DEVICE_NAME-install-VERSION.zip'
This will produce the following output when successful:
Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256:AhgHif0mei+9aNyKLfMZBh2yptHdw/aN7Tlh/j2eFwM
Flashing factory images
The initial install will be performed by flashing the factory images. This will replace the existing OS installation and wipe all the existing data.
Next, extract the factory images.
On Linux:
bsdtar xvf DEVICE_NAME-install-VERSION.zip
On macOS and Windows:
tar xvf DEVICE_NAME-install-VERSION.zip
Move into the directory:
cd DEVICE_NAME-install-VERSION
Flash the images with the flash-all script in the directory.
On Linux and macOS:
bash flash-all.sh
On Windows:
./flash-all.bat
Wait for the flashing process to complete. It will automatically handle flashing the firmware, rebooting into the bootloader interface and flashing the OS. Avoid interacting with the device until the flashing script is finished. Then, proceed to locking the bootloader before using the device as locking wipes the data again.
Troubleshooting
The text output from a failed attempt at flashing will contain valuable diagnostic information which is essential in knowing where and how the process went wrong. Please provide this information when asking for help on the GrapheneOS chat room.
A common issue on Linux distributions is that they mount the default temporary file directory /tmp
as tmpfs which results in it being backed by memory and swap rather than persistent storage. By default, the size is 50% of the available virtual memory. This is often not enough for the flashing process, especially since /tmp
is shared between applications and users. To use a different temporary directory if your /tmp
doesn't have enough space available:
mkdir tmp && TMPDIR="$PWD/tmp" ./flash-all.sh
Locking the bootloader
Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.
In the bootloader interface, set it to locked:
fastboot flashing lock
The command needs to be confirmed on the device and will wipe all data. Use one of the volume buttons to switch the selection to accepting it and the power button to confirm.
Post-installation
Booting
You've now successfully installed GrapheneOS and can boot it. Pressing the power button with the default Start option selected in the bootloader interface will boot the OS.
Disabling OEM unlocking
During first setup, the final screen will contain a toggle regarding OEM unlocking which is checked by default. This will disable OEM unlocking, which is recommended.
If you need to enable or disable OEM unlocking in the future, it can be done in the developer settings menu within the operating system.
Verifying installation
The verified boot and attestation features provided by the supported devices can be used to verify that the hardware, firmware and GrapheneOS installation are genuine. Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with these features.
Verified boot verifies the entirety of the firmware and OS images on every boot. The public key for the firmware images is burned into fuses in the SoC at the factory. Firmware security updates also update the rollback index burned into fuses to provide rollback protection.
The final firmware boot stage before the OS is responsible for verifying it. For the stock OS, it uses a hard-wired public key. Installing GrapheneOS flashes the GrapheneOS verified boot public key to the secure element. Each boot, this key is loaded and used to verify the OS. For both the stock OS and GrapheneOS, a rollback index based on the security patch level is loaded from the secure element to provide rollback protection.
Verified boot key hash
When loading an alternate OS, the device shows a yellow notice on boot with the ID of the alternate OS based on the sha256 of the verified boot public key. 4th and 5th generation Pixels only show the first 32 bits of the hash so you can't use this approach. 6th generation Pixels onwards show the full hash and you can compare it against the official GrapheneOS verified boot key hashes below:
- Pixel 9 Pro Fold:
af4d2c6e62be0fec54f0271b9776ff061dd8392d9f51cf6ab1551d346679e24c
- Pixel 9 Pro XL:
55d3c2323db91bb91f20d38d015e85112d038f6b6b5738fe352c1a80dba57023
- Pixel 9 Pro:
f729cab861da1b83fdfab402fc9480758f2ae78ee0b61c1f2137dd1ab7076e86
- Pixel 9:
9e6a8f3e0d761a780179f93acd5721ba1ab7c8c537c7761073c0a754b0e932de
- Pixel 8a:
096b8bd6d44527a24ac1564b308839f67e78202185cbff9cfdcb10e63250bc5e
- Pixel 8 Pro:
896db2d09d84e1d6bb747002b8a114950b946e5825772a9d48ba7eb01d118c1c
- Pixel 8:
cd7479653aa88208f9f03034810ef9b7b0af8a9d41e2000e458ac403a2acb233
- Pixel Fold:
ee0c9dfef6f55a878538b0dbf7e78e3bc3f1a13c8c44839b095fe26dd5fe2842
- Pixel Tablet:
94df136e6c6aa08dc26580af46f36419b5f9baf46039db076f5295b91aaff230
- Pixel 7a:
508d75dea10c5cbc3e7632260fc0b59f6055a8a49dd84e693b6d8899edbb01e4
- Pixel 7 Pro:
bc1c0dd95664604382bb888412026422742eb333071ea0b2d19036217d49182f
- Pixel 7:
3efe5392be3ac38afb894d13de639e521675e62571a8a9b3ef9fc8c44fd17fa1
- Pixel 6a:
08c860350a9600692d10c8512f7b8e80707757468e8fbfeea2a870c0a83d6031
- Pixel 6 Pro:
439b76524d94c40652ce1bf0d8243773c634d2f99ba3160d8d02aa5e29ff925c
- Pixel 6:
f0a890375d1405e62ebfd87e8d3f475f948ef031bbf9ddd516d5f600a23677e8
Checking this is useful after installation, but you don't need to check it manually for verified boot to work. The verified boot public key flashed to the secure element can only be changed when the device is unlocked. Unlocking the device performs the same wiping of the secure element as a factory reset and prevents data from being recovered even if the SSD was cloned and your passphrase(s) are obtained because the encryption keys can no longer be derived anymore. The verified boot key is also one of the inputs for deriving the encryption keys in addition to the user's lock method(s) and random token(s) on the secure element.
Hardware-based attestation
GrapheneOS provides our Auditor app for using a combination of the verified boot and attestation features to verify that the hardware, firmware and operating system are genuine along with providing other useful data from the hardware and operating system.
Since the purpose of Auditor is to obtain information about the device without trusting it to be honest, results aren't shown on the device being verified. You need a 2nd Android device running Auditor for local QR code based verification. You can also use our optional device integrity monitoring service for automatic scheduled verifications with support for email alerts.
See the Auditor tutorial for a guide.
Auditor is primarily based on a pairing model where it generates a hardware backed signing key and hardware backed attestation signing key and pins them as part of the initial verification. The first verification is bootstrapped based on chaining trust to one of the Android attestation roots. After the first verification, it provides a highly secure system for obtaining information about the device going forward. An attacker could bypass the initial verification with a leaked attestation key or by proxying to another device with the device model, OS and patch level that the user is expecting. Proxying to another device will be addressed in the future with optional support for the hardware serial number attestation feature.
Further information
Please look through the usage guide and FAQ for more information. If you have further questions not covered by the site, join the official GrapheneOS chat channels and ask the questions in the appropriate channel.
Replacing GrapheneOS with the stock OS
Installation of the stock OS via the stock factory images is the same process described above. However, before flashing and locking, there's an additional step to fully revert the device to a clean factory state.
The GrapheneOS factory images flash a non-stock Android Verified Boot key which needs to be erased to fully revert back to a stock device state. Before flashing the stock factory images, you should boot the device into fastboot mode and make sure the bootloader is unlocked. Then erase the custom Android Verified Boot key to untrust it:
fastboot erase avb_custom_key