Как установить copperhead os

В» Installation

CopperheadOS installation instructions

CopperheadOS currently has official support for the following devices:

At one point CopperheadOS was supported on the:

It can be ported to other Android devices with Treble support via the standard device porting process. Most devices lack support for the security requirements needed to match how it works on the officially supported devices.

The Copperhead web installer is currently available to Copperhead Partners with full flashing and locking capabilities.

Windows 10 Installation Simplified

Preparing devices for flashing

Start the device you intend to flash normally, and connect it to the internet.

Enable developer options, USB debugging, and OEM Unlocking

You will now set enable OEM Unlocking. This requires an active network connection such as WiFi. If you cannot enable OEM unlocking with an active network connection, you will need to contact the vendor you bought your device from. Your device will require a restart. Please do so now, and then continue below.

Windows 10 Prerequisites

Your machine will require at least 4GB RAM and 16GB of disk space. For best results please ensure that Windows 10 is updated to the latest version available.

Decompressing Factory Images in Windows

Download the Android platform-tools for Windows, here. Unzip them to an easily accessible directory. You will need to ensure that these tools are up to date whenever you flash devices.

Add Android platform-tools to Path

Add the platform-tools directory to your System Environment Path variable.

In PowerShell, it is possible to set environment variables with a single command:

For example, if we downloaded the platform-tools and unzipped them into their own folder in our Windows user Downloads directory. Be sure to fill in the correct directory path to your platform-tools directory.

System Environment Variable GUI

A guide using the Windows GUI: Add to Path in Windows

Downloading Factory Images

CopperheadOS currently provides factory images to the Copperhead Partner network and is not open to the public for download.

Factory image files follow the name format codename-factory-BuildID.tar, for example:

The full path would be:

Users unfamiliar with PowerShell can simply open the folder in File Explorer and click the Files menu and choose ‘Open Windows PowerShell’ to begin a PowerShell session in the open folder.

Flashing requires only a handful of commands. With your device connected by USB to your Windows machine begin with:

This will start the Android Device Bridge daemon the first time it is run. You will now need to authorize adb to communicate with your device. Tap Allow on the pop-up on your device. The adb devices command may time out before you authorize it, do not worry, if this happens just re-run the command by pressing the Up Arrow on your keyboard and then enter.

For example, with our sunfish device:

Now that we know our device is prepared and connected, we can begin flashing.

First, we will put our sunfish device into fastboot mode using adb.

Your device should immediately restart, and the next screen you see on your device will be the fastboot menu. The most notable features of this menu are the red Fastboot Mode text beneath a red triangle with an exclamation point inside it, and the green «locked» text.

Next we will need to unlock the bootloader.

You will need to confirm that you want to unlock the bootloader on your device itself using the Volume Keys to select ‘Unlock the bootloader’ in the selection text next to the Power Key, and then press the Power Key to confirm.

You will then be returned to the fastboot menu. The device state should now be red and state «unlocked». If the device state remains green «locked», you will need to re-try the fastboot flashing unlock command.

Next we can run the flash-all.bat that comes with all CopperheadOS factory images.

Do not move your device or touch the USB cable which connects your device to your Windows machine while flash-all runs. Interfering with the USB connection may result in a bad flash or a bricked device.

For example a with our sunfish device:

The device will restart several times.

With the flash-all script complete, you will be prompted to «Press any key to continue. » doing so will return you to the PowerShell prompt.

You will again be prompted by your device to confirm. Use the Volume Keys to select ‘Lock the bootloader’ from the selection text next to the Power Key and use the Power Key to confirm. Your device will restart.

Post flashing procedures

With the bootloader locked, you will now need to Start the device by pressing the Power Key. If Start is not selected on the Fastboot Mode menu, use the Volume Keys to select Start and then press the Power Key to confirm.

If your flash was successful, you will next see a yellow triangle and the texts «Your device is loading a different operating system. «

It is strongly recommended that you disable OEM Unlocking now that CopperheadOS is installed. To do so, follow the instructions below:

You should have at least 4GB of memory on your computer to avoid problems.

You can obtain the adb and fastboot tools from the Android SDK. Either install Android Studio or use the standalone SDK. Do not use distribution packages for adb and fastboot. Distribution packages are out-of-date and not compatible with the latest version of Android. An obsolete fastboot will result in corrupted installations and potentially bricked devices. Do not make the common mistake of assuming that everything will be fine and ignoring these instructions. Double check that the first fastboot in your PATH is indeed from an up-to-date SDK installation:

Installing platform tools on Mac OSX or Linux

Download the latest SDK platform-tools directly from Google here

To make your life easier, add the directories to your PATH in your shell profile configuration. This will make it so you do not have to be inside a specific directory to get access to fastboot.

Setting up the SDK on Linux without Android Studio

To set up a minimal SDK installation without Android Studio on Linux:

Run an initial update, which will also install platform-tools and patcher;v4:

For running the Compatibility Test Suite you’ll also need the build-tools for aapt:

To make your life easier, add the directories to your PATH in your shell profile configuration:

This is not mandatory, since you can run them from

You should update the sdk before use from this point onwards:

Enabling OEM unlocking

This information covers the Pixel 2, 3 and 3a series of secure phone.

OEM unlocking needs to be enabled from within the operating system.

If this setting is grayed out even after connecting to WiFi and selecting/de-selecting Developer Options numerous times, you may have a Bootloader-locked device.

Not all devices are created equally and not all devices are unlockable. There is a distinct difference between unlocked devices and bootloader unlockable devices. Often vendors will not know what a bootloader unlockable device is and confuse it with carrier-locked devices. Google has provided refurbished units in the past that are not unlockable even though they may have been unlockable before the refurbished status. To this date no bootloader unlocking exploit has worked or is recommended for installing CopperheadOS. If you encounter a bootloader locked device then you need to return it to the vendor.

Testing the Android bootloader for unlockable compatibility

To test bootloader-unlockable compatibility, use getprop in adb shell

At the time of this writing the only bootloader unlockable device code is 00000000 (Google)

The following is a non-exhaustive list of locked device codes Copperhead has encountered:

Updating stock before using fastboot

It’s important to have the latest bootloader firmware before installing CopperheadOS, due to bug fixes for the fastboot mode used to flash CopperheadOS. There are known issues with older versions of the bootloader that are likely to cause problems.

If you’re only behind one release, updating within the stock OS makes sense to get an incremental update. If you’re behind multiple releases, updating within the OS will usually require installing multiple updates to catch up to the current state of things. The quickest way to deal with that if you have plenty of bandwidth is sideloading the latest full over-the-air update from Google.

Obtaining factory images

The initial install should be performed by flashing the factory images. This will replace the existing OS installation and wipe all the existing data.

Latest CopperheadOS images

CopperheadOS currently provides factory images to the Copperhead Partner network and is not open to the public for download.

Legacy installation information (Nexus)

At one point Copperhead supported public downloading of official Nexus factory images on a releases page. Public factory had to be unfortunately images removed because of mass violation of Copperhead’s non-Commercial licensing.

Flashing factory images

First, boot into the bootloader interface. You can do this by turning off the device and then turning it on by holding both the Volume Down and Power buttons. Alternatively, you can use adb reboot bootloader from Android.

Supported devices unlocking directions

The bootloader now needs to be unlocked to allow flashing new images:

Legacy Pixel 2 XL bootloader unlocking directions

On some older models of Pixel 2 XL it’s necessary to unlock the critical partitions.

The command needs to be confirmed on the device.

Next, extract the factory images and run the script to flash them. Extracting the factory images depends on the OS you’re using and the applications available.

Note that the fastboot command run by the flashing script requires a fair bit of free space in a temporary directory, which defaults to /tmp :

Use a different temporary directory if your /tmp doesn’t have 2GiB available:

You should now proceed to locking the bootloader before using the device as locking wipes the data again.

Pixel 3/3a: setting custom AVB key

The custom AVB key for Pixel 3 and 3a series should automatically be set upon flashing.

Pixel 2 and 2 XL: Setting custom AVB key

On the Pixel 2 and Pixel 2 XL, the public key needs to be set for Android Verified Boot 2.0 before locking the bootloader again

To confirm that the key is set, verify that avb_user_settable_key_set is yes :

Locking the bootloader

Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions (boot, recovery, system, vendor) and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it’s verified again which makes verified boot robust to non-malicious corruption.

Reboot into the bootloader menu and set it to locked:

The command needs to be confirmed on the device since it needs to perform a factory reset.

Legacy bootloader locking

If your Pixel 2 XL is the same older model that requires unlocking of the critical_partition, lock the critical_partitions again:

Post installation precautions

OEM unlocking should be disabled again in the developer settings menu within the operating system. This prevents unlocking the bootloader without access to the owner account. CopperheadOS prevents bypassing the OEM unlocking toggle by wiping the data partition from the hidden recovery menu, unlike stock Android. You can still trigger factory resets from within the OS. Note that this means that recovering a device with a forgotten password is not possible without Copperhead doing it, which is the main purpose of this feature (anti-theft). Stock Android can be more forgiving because it’s tied to a Google account.

Note: Unlocking the bootloader again will perform a factory reset. Do not plan to do so unless otherwise requried.

You should now disable OEM unlocking and factory reset the CopperheadOS device for optimal hardware security.

CopperheadOS Signing Key Verification

On device boot the device screen will show an OS fingerprint which is used by Android Verified Boot to match the signing keys of the Operating System installed. Comparing the fingerprint on boot to the keys below is a foolproof way to determine if the device has a verified CopperheadOS install. If the fingerprints below do not match the device boot screen there is a possibility it is a non-CopperheadOS install. If that is the case proceed with caution if the device was not purchased from an authorized CopperheadOS partner.

Updates can also be downloaded from Copperhead and installed via recovery with adb sideloading. The zip files are signed and will be verified by the CopperheadOS recovery image. Sideloading should only be done if OTA updates are not working and there is a critical issue with Updater.

First, boot into recovery. You can do this either by using adb reboot recovery from the operating system or selecting the Recovery option in the bootloader menu.

You should see an Android lying on their back being repaired, with the text «No command» meaning that no command has been passed to recovery.

Next, access the recovery menu by holding down the power button and pressing the volume up button a single time. This key combination toggles between the GUI and text-based mode with the menu and log output.

Finally, select the «Apply update from ADB» option in the recovery menu and sideload the update with adb:

Clearing custom AVB key

On the Pixel 2 and Pixel 2 XL, reverting back to stock requires clearing the configured public key after unlocking the bootloader and before locking it again with the stock factory images:

To confirm that the key is unset, verify that avb_user_settable_key_set is no :

Copperhead sends out email blasts to announce major company updates, recent CopperheadOS developments, and occasionally highlight important security-related news.

Источник

В» Building CopperheadOS

CopperheadOS build instructions

Minimum hardware requirements

This documentation assumes you’re using Ubuntu 20.04 LTS (OS X is not supported). Contact os_team@copperhead.co if you’ve had success on other OS’s.

To ensure Java will be installed correctly first remove any possible conflicting versions

Install the necessary tools required

Initialize the repo tool in order to sync the source

Ensure the export paths are set up

CopperheadOS currently has official build support for the following devices:

In the past CopperheadOS supported:

It can be ported to other Android devices with Treble support via the standard device porting process. Most devices lack support for the security requirements needed to match how it works on the officially supported devices.

Downloading source code

Since this is syncing the sources for the entire operating system and application layer, it will use a lot of bandwidth and storage space.

You likely want to use the most recent stable tag, not the development branch, even for developing a feature. It’s easier to port between stable tags that are known to work properly than dealing with a moving target.

Copperhead requires our Partners to secure their source accounts. Two Factor Authentication is required.

The Android11 branch is used for all the currently supported Pixel family devices (2 through 4a and XLs) and other devices:

If your network is unreliable and repo sync fails, you can run the repo sync command again as many times as needed for it to fully succeed.

Updating and switching branches/tags

Generating release signing keys

Keys need to be generated for resigning completed builds from the publicly available test keys. The keys must then be reused for subsequent builds and cannot be changed without flashing the generated factory images again which will perform a factory reset. Note that the keys are used for a lot more than simply verifying updates and verified boot. Keys must be generated before building for the Pixel and Pixel XL due to needing to provide the keys to the kernel build system, but this step can be done after building for Nexus devices.

The keys should not be given passwords due to limitations in the upstream scripts. If you want to secure them at rest, you should take a different approach where they can still be available to the signing scripts as a directory of unencrypted keys. The sample certificate subject can be replaced with your own information or simply left as-is.

Pixel and Pixel XL use Android Verified Boot 1.0. The Pixel 2, 3, 3a, 4, 4a and the XL models all use Android Verified Boot 2.0 (AVB). Use the command below to generate all keys necessary.

The syntax for building a signed build is.

The following are the complete list of script options.

Like the Android Open Source Project, CopperheadOS contains some code that’s built separately and then bundled into the source tree as binaries. Ideally, everything would be built-in tree with the AOSP build system but it’s not always practical.

Unlike AOSP, CopperheadOS builds the kernel as part of the operating system rather than bundling a pre-built kernel image.

F-Droid is bundled as an APK Android Application in the external/F-Droid repository.

F-Droid Privileged Extension

The privileged extension is built from source from the main F-Droid privileged-extension repository as part of the normal build process. The privileged extension provides F-Droid with the capability to update, add and delete applications. Builders should take note that this component provides an automation route for application management similar to major App stores. CopperheadOS builds can additionally facilitate automatic deployment of repositories (which can include any application you have a license to distribute) upon provisioning with push/pull functionality, allowing for a fully automated application setup.

This has several advantages:

CopperheadOS Over-The-Air (OTA) Update Server

The OTA update server is a pivotal piece in any CopperheadOS secured deployment. Over-The-Air packages provide important system and Android security updates post-signing to devices. Verification of OTA packages occurs within the CopperheadOS Updater which provides the capability to rollback broken installs or reject unverified/falsely verified signed updates. Thus even in the unfortunate event that the OTA server is compromised, CopperheadOS devices cannot be forced to receive a malicious update.

Setting up a CopperheadOS OTA server requires only a few steps. Depending on the operators system development capacity, an OTA server can be deployed in minutes. Any HTTP server such as Nginx or Apache, can be used to serve the required files.

A typical CopperheadOS update server may look like this:

To demonstrate what an OTA update directory listing should look like, the device will be a Sargo (Pixel 3a) on the stable channel with the latest CopperheadOS version being 2020.04.20 and the previous version being 2020.90.00

Community Builders Initiative (CBI)

Building Android from source can be an intimidating task especially when compared to building Android applications or compiling components from system languages. CBI acts as a bridge between Copperhead’s OS experts, who have years of experience with Android, and users who are looking to benefit from building CopperheadOS from source in-house.

The community builders initiative is a channel from Copperhead to assist external builders looking to expand on a CopperheadOS deployment for commercial and/or non-profit purposes. Personal device users may benefit from this channel as well though the initiative will really benefit larger (>10 devices) deployments.

There are many types of individuals, organisations and businesses that benefit from involvement in CBI. Having control over the source code of an internal deployment is beneficial in that the company controls the signing keys and may have policies in place that won’t keep up with official CopperheadOS releases.

The possibilities are endless and some examples include:

Members of CBI receive:

Before enrolling in CBI members are expected to:

Email us builders@copperhead.co to get started in the enrollment process. If you experience issues building CopperheadOS from source please let us know on our official bugtrackers. General OS bugs can be filed here while device specific bugs can be filed on their respective issue trackers (ie: Pixel 2 XL). We look forward to working with you.

Device porting process

Porting CopperheadOS to custom and everyday Android devices is possible, including porting to non-phones. This process is extensive and requires coordination with the upstream ODM. AOSP compliant devices and Android 8.0+ devices released with Treble have helped make this process substantially smoother than in pre-Treble days.

The process to port CopperheadOS to a device is as follows:

Early CopperheadOS port

Early CopperheadOS testing

Full CopperheadOS port

Full CopperheadOS testing

CopperheadOS kernel code is GPL2, so derivatives using only the kernel changes simply need to respect the usual GPL2 rules by making the sources needed to build the kernel available, etc.

CopperheadOS userspace code is primarily licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license so a commercial license is required to earn money from derivatives using the userspace code. Licensing can be based on revenue sharing so don’t be afraid to contact sales@copperhead.co for small scale commercial licensing.

CopperheadOS art and branding is primarily licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International license. Derivatives that are being distributed need to replace the boot animation, wallpaper and other art / branding. The current branding to replace, which will expand over time:

The ‘CopperheadOS’ branding itself is trademarked. Derivatives should come up with their own project name and globally replace ‘CopperheadOS’ with ‘NewProjectName’ if they’re being distributed. They should state that they use code based on CopperheadOS / ported from CopperheadOS but shouldn’t claim to actually be CopperheadOS itself. The current list of strings to replace, which will expand over time:

Copperhead sends out email blasts to announce major company updates, recent CopperheadOS developments, and occasionally highlight important security-related news.

Источник

Безопасный смартфон Tor на CopperheadOS: что это, как он устроен и почему это важно

Содержание статьи

«Защищенный смартфон от разработчиков анонимизирующего ПО» — звучит странно, не правда ли? Но не спеши с выводами. В отличие от того же BlackBerry Priv, «Tor-смартфон» основан на открытом ПО от нескольких компаний и независимых разработчиков, сам смартфон — это Nexus 6P. Его даже не собираются продавать, а вместо этого поставляют специальную прошивку.

Прошивка, естественно, основана на Android, но не на том Android, который ты привык видеть в своем смартфоне, а на его модификации под названием CopperheadOS. Ее создали security-специалисты из канадской компании Copperhead. Больше они, в общем-то, ничем не известны, но, судя по тем функциям, которые уже внедрены в прошивку, эти ребята явно знают, что делают.

CopperheadOS

Главная особенность CopperheadOS — существенно расширенные средства предотвращения взлома. Прошивка включает в себя модернизированную реализацию аллокатора памяти (malloc) из OpenBSD (подробнее о нем можно прочитать здесь), который рандомизирует выделяемые приложению страницы и заполняет мусором возвращаемые страницы памяти. Это делает атаки класса use-after-free более сложными в реализации. OpenBSD malloc также размещает метки в конце выделяемых областей памяти, которые проверяются при ее освобождении. Это позволяет бороться с атаками типа heap overflow.

Для защиты от модификации кода CopperheadOS использует механизм доверенной загрузки, впервые появившийся в Android 4.4, и, кроме того, не полагается на заблаговременно оптимизированный код приложений из каталога /data/dalvik-cache. Последний нужен для быстрого запуска приложений и генерируется во время первой загрузки смартфона (сообщение «Оптимизация приложений. »). Однако он же может быть использован для внедрения в систему зловредного кода: нет смысла подменять само приложение в разделе /system — механизм доверенной загрузки откажется загружать смартфон после модификации системного раздела, а вот оптимизированный код в /data/dalvik/cache ни у кого подозрений не вызовет.

Ядро CopperheadOS собрано с патчем PaX, включающим в себя несколько механизмов предотвращения атак:

В CopperheadOS более строгие правила SELinux — системы разграничения прав доступа к файлам, системным вызовам и железу. К примеру, здесь нельзя выполнить код из временных каталогов (подключенных с помощью псевдоФС tmpfs), нельзя получить доступ к важной системной информации и информации о других процессах с помощью чтения файлов каталога /proc.

CopperheadOS включает в себя множество других ограничений. По умолчанию стандартное приложение камеры не указывает в метаданных снимка местоположение съемки, а экран не показывает уведомления, которые могут раскрыть конфиденциальную информацию (Android и iOS разрешают показ таких уведомлений, с возможностью отключения). Работающие в фоне приложения не могут получить доступ к буферу обмена (что ломает работоспособность нескольких полезных приложений из маркета). MAC-адрес всех сетевых интерфейсов по умолчанию рандомизируется. Компонент WebView, отвечающий за отрисовку веб-страниц в сторонних приложениях (и многих браузерах), использует функцию isolatedProcess, позволяющую запереть каждый инстанс WebView в собственную песочницу.

Сам Chromium, на котором базируется WebView, включает в себя ряд ограничений и настроек, направленных на защиту от утечек данных: отключены коррекция ошибок в адресной строке, предзагрузка страниц, контекстный поиск, метрики и аудит гиперссылок. В качестве поисковой системы используется не отслеживающий пользователя DuckDuckGo.

Плюшки от Tor

CopperheadOS — лишь базовая часть прошивки. Поверх него работают еще несколько компонентов: Orbot, orWall, F-Droid, My App List и Google Play, включенный в базовую поставку не столько по причине доступа к магазину приложений (его функции здесь выполняет F-Droid), сколько по причине Signal. Последний использует сервисы Google для получения push-уведомлений.

Два главных компонента здесь — это, конечно же, Orbot и orWall. Первый — сборка Tor для Android, способная работать либо как локальный SOCKS-прокси, перенаправляющий трафик в Tor, либо в режиме root, когда весь трафик заворачивается в Tor брандмауэром iptables, что позволяет избежать любых утечек.

Xakep #216. Копаем BitLocker

Однако по умолчанию прошивка не использует ни тот, ни другой метод, а полагается на orWall, своего рода обертку для брандмауэра, которая позволяет заворачивать трафик в Orbot выборочно, для каждого отдельно взятого приложения. С его помощью можно тонко контролировать, кто будет ходить в сеть через Tor, кто напрямую, а кому доступ в интернет будет запрещен вовсе.

OrWall полностью блокирует любые интернет-соединения до тех пор, пока прошивка не будет полностью загружена. Это позволяет избежать любых утечек данных в том случае, если ты намерен выходить в интернет исключительно через Tor или полностью заблокировать доступ в интернет не вызывающему доверия софту.

OrWall: выбор проксируемых через Tor приложений

My App List — еще одно интересное приложение в комплекте прошивки. Изначально создано как удобный способ сохранить список установленных через магазин F-Droid приложений, но разработчики Tor задействовали ее для быстрой установки рекомендуемых приложений: они заранее подготовили список софта, который может пригодиться среднестатистическому юзеру, и загрузили его в My App List.

Установка

В данный момент прошивка доступна для Nexus 5X и Nexus 6P, однако ее установка существенно отличается от установки того же CyanogenMod или любого другого кастома. На самом деле это просто набор скриптов для Linux, который выкачивает последнюю версию CopperheadOS с официального сайта, скачивает дополнительное ПО, интегрирует его в прошивку, подписывает ее и устанавливает на устройство с помощью утилиты fastboot.

По этой причине для установки прошивки тебе понадобятся:

В Ubuntu все это можно установить так:

Подключаем смартфон по USB и выполняем следующую команду:

В ответ смартфон должен вывести диалоговое окно с вопросом о доверии ПК, с ним следует согласиться.

Осталось только скачать скрипты и запустить процесс прошивки:

Скрипт проведет тебя через все этапы установки. Естественно, данные с устройства будут стерты.

Вместо выводов

Прошивка от разработчиков Tor, безусловно, интересный проект. Используя ее правильно, можно получить практически не отслеживаемый через интернет смартфон. Однако стоит иметь в виду, что устройство останется не защищенным от отслеживания с помощью мобильных сетей и side channel атак, например возможности перехватить пароли с помощью анализа изменений в сигнале Wi-Fi.

Евгений Зобнин

Редактор рубрики X-Mobile. По совместительству сисадмин. Большой фанат Linux, Plan 9, гаджетов и древних видеоигр.

Источник