Smartphone Hardening: Motorola

Installing the LineageOS distribution on a Nexus 6 as a base for hardening has become very easy and takes only a few minutes w/ adb and fastboot (part of the android-sdk) already installed on your POSIX machine.

  • Enable USB Debugging in the phone settings
  • Connect device and check by running adb devices -l
  • Reboot into bootloader: adb reboot bootloader
  • Again, check connectivity: fastboot devices -l
  • Unlock the bootloader:
fastboot oem unlock
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
(bootloader) Please select 'YES' on screen if you want to continue...
(bootloader) Unlocking bootloader...
(bootloader) Unlock completed! Wait to reboot
  • Flash recovery:
fastboot flash recovery twrp-3.3.1-0-shamu.img
 (bootloader) slot-count: not found                 
 (bootloader) slot-suffixes: not found                                  
 (bootloader) slot-suffixes: not found                        
 (bootloader) has-slot:recovery: not found
 target reported max download size of 536870912 bytes
 sending 'recovery' (11887 KB)…                                  
 OKAY [  0.393s]                                                   
 writing 'recovery'…                                             
 OKAY [  0.171s]                            
 finished. total time: 0.564s 
  • Select Recovery Mode and reboot into TWRP
  • Backup existing ROM (system partition) onto USB-OTG
  • Install LOS: Wipe/Factory Reset, then install – e.g. using adb sideload – a) LOS b) OpenGapps c) addonsu

Note about encryption: When running LOS 15.1 and TWRP 3.2.3, encrypting the device results in a completely unstable O/S. When running LOS 16.0 and TWRP 3.3.1, encrypting the device works, resulting in a usable O/S. However, TWRP is still not accepting the FDE password thus unable to mount /data.

So, after having flashed the device, now is the time for further hardening of the device by installing a local firewall ruleset like AFWall+, VPN software like WireGuard, Firefox Klar/Focus, K-9 Mail, OpenKeychain, SnoopSnitch etc. and creating a backup using TWRP.

Also, sort of circumventing the previously mentioned encryption problem would be easily possible and can be achieved by first creating a fresh TWRP backup and subsequentially encrypting the device. Think of this becoming handy right before travelling abroad, but remember that afterwards you should a) WIPE the device using TWRP (w/o unlocking data) and then b) reflash the last backup to be able to create fresh backups from time to time.

Smartphone Hardening: Samsung

A smartphone like the Samsung S4 bought only a few years ago will most probably run Android 4.4.x “Kitkat” (or 5.x  if upgraded), as this is the stock ROM it contained right after market introduction. New devices are still sold for ~ 150€ running Android 5.x “Lollipop” which is nearly equally old. I already flashed Cyanogenmod 11 back then to have more control over the device along w/ root access which enabled me to configure netfilter and install VPN S/W.

But if you follow the Android OS version history it becomes immediately clear that  – as the ppl at LineageOS state – 7/10 run outdated operating systems on their phones. This is a matter of upgrading your device, and that is what I just did, involving testing of lots of different ROMs and Android versions, which I’m going to skip in this post.


The steps to upgrade a S4 LTE (official release date may 2013) from 4.4.x to a quite actual and rooted 8.1 “Oreo” are as follows if you reduce them to the minimum and exclude all the time spent on testing and research:

Step 1: Use heimdall to flash TWRP recovery system onto the device. This can simply be done from the commandline after you put the phone in Download Mode (by pressing VolumeDown+Power while turning the phone on):

sudo heimdall flash --verbose --RECOVERY recovery.img

Step 2: Use heimdall to flash an updated baseband firmware containing an updated kernel and phone/modem related firmware. I prefer the GUI for that step as it gives a far better overview of what we are doing.

This is not as hard as it looks: After you downloaded the .tar file, extract it to a temp folder and see which files it contains. Afterwards, use heimdall to download the devices partition layout table (PIT). Next thing to do is select the PIT file, then hit the “Add” button and select each partition and its according file from the folder you extracted the .tar file, select “No Reboot” and “Resume” and finally hit the start button.

Step 3: Flash a new ROM onto the device via TWRP. Start the Device by pressing VolumeUP + Home + Power to enter its recovery mode. From there, select relevant files in the right order (and compare its checksums) which in my case were: d3213c4895e2565ee3a7f3dd0d47aedcbe9f621eb8f89f9c51351d92573ae5dd  b5cc465abb3d9b7ad0177e74693e1bbd085775fd38808f640be537e8dcd1a3e8  e544ad0aea8702d73f2b2451e42c83cb96157881ce7879dcdea11e2bb4835718

It appears to me that it is easily possible – and even by means of only using freely available S/W – to update all those horribly insecure smartphones out there, and it’s even far more easy to achieve than back in the days. So – I ask myself – why is there no public service offered by the shop you bought your phone at that enables non-technical ppl to get this done eradicating that bad thing called planned obsolescence


Upgraded from stock Android 6.0 onto LineageOS 15.1 / Android 8.1 on a SM-T585 Tablet (2016) as well (search for “sm-t585” or “gtaxllte” for relevant TWRP and LineageOS images):

sudo heimdall flash --verbose --RECOVERY recovery.img
Initialising connection...
Detecting device...
      Manufacturer: "SAMSUNG"
           Product: "Gadget Serial"
RECOVERY upload successful
Ending session...
Rebooting device...
Releasing device interface...

Interesting to note that this time the device itself does not really get identified. Last but not least: Do not forget to create and redundantly store  backups of the device(s) when finished w/ configuration et al.


Doing the same for a S4 mini LTE a.k.a. GT-I9195i a.k.a. serranoveltexx (official release date june 2014) running stock android 4.4.4. TWRP already flashed, important to note that heimdall v1.4.2 – as for the two previous devices – had to be built from source to really work:

git clone
cd Heimdall
cmake . && make && sudo make install

Remember to install some dependencies (like libusb-dev, libqt5 etc.) mentioned in cmake warnings / errors and it builds w/o error and flashes the device successfully. Flashing a lineage 14.1 image now is only a matter of copying relevant ZIP files and MD5 sums of OpenGapps, addonsu and the image itself to SD (or USB-OTG) and booting the device into recovery, doing a factory reset and installing the following sha256 checksummed files: 92715821b7dd4c1906512e75dd8327c50af3eeb5865626a65a04907b1e900704 97420755446608ea226817322883192ba0c56ce4703feed9c52dc3344656ab2b 1c0953b2eb3c5d2e88eeb7df4d60709aeb18e8acf56fb380ce83f5acb3dcbb8f



If you buy a smartphone or a tablet (which is basically the same) nowadays and start using it, you are sending out tons of data about what you type, where you are, etc. while most of the time being unable to block, control or even notice any of these data transfers. At the same time, this is vastly contributing to the effort of turning you into a uniquely identifiable individual – transparent for industry, commerce, or who else might be interested 1984-style.

A quick way to take a peek at what data your android device  is sending to whom could be using your local wireless network while monitoring all traffic from the android device passing the router (e.g. by BPF filtering “host”).

To overcome this inacceptable pity, you are free to root your phone and install a custom operating system (or rather a modification of the stock android). The steps I undertook to transform my device into a rather acceptable (and not bugging-me) device were – amongst others – :

  • Flash Clockworkmod Recovery
  • Optional: Create backup of (mostly) stock firmware
  • Flash Cyanogenmod 11
  • Install (some of) Google Apps
  • Create backup of CM11 firmware (repeat this after “milestones”)
  • Save all the  backups on at least one different storage media
  • disable everything you do not need (NFC, Bluetooth, autosync features, …)

When it comes to COMSEC/OPSEC, you have quite some options. In general, it is better to use F-Droid than Google Play.

  • Advanced Task Killer
  • OpenVPN
  • APG (together w/ K9Mail and only via VPN)
  • AFWall+
  • ChatSecure (Jabber + OTR)
  • HTTPS Everywhere for Android/Firefox
  • Textsecure
  • Owncloud (as in YOU OWN that cloud)
  • think twice before installing an app 
  • store sensitive data GPG encrypted

Always try to use servers that you – or friends/ppl who you trust – own, control and monitor (e.g. VPN, Mail, Cloud/Hosting. etc.) so that you have an additional layer of security.

A message to the ppl behind Cyanogenmod: Thank you, I have been running your customized android O/S for many years successfully on:

  • Google G1
  • HTC Desire
  • Samsung Galaxy S3 LTE
  • Samsung Galaxy S4 LTE+